Posted: February 27th, 2023
Digital Ethics – 5
Topic: Global laws & litigation, BCI (Brain-Computer Interface) technology
1) Select a country or a region from the privacy laws around the world: Indicate which laws are present in this area and the level of maturity of these laws insofar as they pertain to privacy and the protection of people
2) Imagine that you are a lawyer working for the consumer protection organization in the selected country or region. BCI technology is being rolled out extensively in this country or region and you are trying to use the existing laws to protect people from the risks associated with it. What arguments do you use?
3) Where are the gaps between existing regulation and this innovation?
APA Format, 600 words, Due Feb 20th
NOVEMBER 2021
Understanding the Data
Flows and Privacy Risks of
Brain-Computer Interfaces
PRIVACY AND THE
CONNECTED MIND
Authors
Jeremy Greenberg, Policy Counsel, Future of Privacy Forum
Katelyn Ringrose, Policy Fellow, Future of Privacy Forum
Sara Berger, Research Staff Member and Neuroscientist, IBM Research
Jamie VanDodick, AI Ethics Leader, Chief Privacy Office, IBM
Francesca Rossi, AI Ethics Global Leader, IBM
Joshua New, Technology Policy Executive and Senior Fellow, IBM Policy Lab
Acknowledgments
The Future of Privacy Forum would like to thank the following individuals for their advice
and expertise: Dr. Tamara Bonaci, Assistant Teaching Professor at the Khoury College of
Computer Sciences at Northeastern University; Dr. Laura Y. Cabrera, Dorothy Foehr and J.
Lloyd Huck Chair in Neuroethics, Associate Professor, Center for Neural Engineering, The
University of Pennsylvania State University; and Dr. Peter Reiner, Professor of Neuroethics at
the University of British Columbia.
Thank you to FPF Policy Interns: Samuel Adams, Noah Katz, and Hannah Schaller for their
contributions to this paper. An additional thank you to IBM legal counsel, Ron Leviner, and
IBM Racial and Social Justice Scholar, Alex Baria, for their contributions to the paper, and to
Guillermo Cecchi and Jeff Rogers from IBM for their suggestions.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 1
Executive Summary ______________________________________________ 2
Introduction ____________________________________________________ 4
Part I: BCIs are Devices That Can Both Record and Modulate an Individual’s
Brain Signals Through the Collection and Processing of Neurodata __________ 5
Part II: BCIs Provide Benefits and Present Risks in a Number of Sectors
Including Health, Gaming, Employment, Education, Smart Cities,
Neuromarketing, and the Military ____________________________________ 11
Part III: A Mix of Technical and Policy Solutions Can Mitigate Risks
__________ 26
Conclusion ____________________________________________________ 32
Endnotes _____________________________________________________ 33
TABLE OF CONTENTS
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 2
EXECUTIVE SUMMARY
This report provides an overview of the tech-
nology, benefits, privacy and ethical risks,
and proposed recommendations for promot-
ing privacy and mitigating risks associated with
brain-computer interfaces (BCIs). BCIs are com-
puter-based systems that directly record, process,
or analyze brain-specific neurodata and translate
these data into outputs that can be used as visu-
alizations or aggregates for interpretation and
reporting purposes and/or as commands to control
external interfaces, influence behaviors, or modu-
late neural activity. While neurodata can take many
forms, this report discusses “neurodata” as data
generated by the nervous system, which consists
of electrical activity between neurons or proxies of
this activity. Personal neurodata refers to neurodata
that is reasonably linkable to an individual.
BCI devices can be either invasive or non-invasive.
Invasive BCIs are installed directly into—or on top
of—the wearer’s brain through a surgical procedure.
Today, invasive BCIs are typically used in the health
context. Non-invasive BCIs rely on external elec-
trodes and other sensors or equipment connected to
or monitoring the body for collecting and modulating
neural signals. Consumer-facing BCIs use various
non-invasive methods, including headbands.
Some BCI implementations raise few, if any, pri-
vacy issues. For example, individuals using BCIs
to control computer cursors might not reveal any
more personal information than typical mouse us-
ers, provided BCI systems promptly discard cursor
data. However, some uses of BCI technologies raise
important questions about how laws, policies, and
technical controls can safeguard inferences about
individuals’ brain functions, intentions, moods, or
identity. These questions are increasingly urgent in
light of the many potential applications expanded
use of BCIs in:
› Healthcare – where BCIs could monitor
fatigue, diagnose medical conditions, stimulate
or modulate brain activity, and control
prosthetics and external devices.
› Gaming – where BCIs could augment existing
gaming platforms and offer players new ways
to play using devices that record and interpret
their neural signals.
› Employment and Industry – where BCIs could
monitor workers’ engagement to improve safety
during high-risk tasks, alert workers or supervi-
sors to dangerous situations, modulate workers’
brain activity to improve performance, and
provide tools to more efficiently complete tasks.
› Education – where BCIs could track student
attention, identify students’ unique needs, and
alert teachers and parents of student progress.
› Smart Cities – where BCIs could provide new
avenues of communication for construction
teams and safety workers and enable potential
new methods for connected vehicle control.
› Neuromarketing – where marketers
could incorporate the use of BCIs to intuit
consumers’ moods and to gauge product and
service interest.
› Military – where governments are researching
the potential of BCIs to help rehabilitate
soldiers’ injuries and enhance communication.
This report focuses on the current privacy impacts
of BCIs, as well as the data protection questions
raised by realistic, near-future use of BCIs. While the
potential uses of BCIs are numerous, BCIs cannot
at present or in the near future “read a person’s
complete thoughts,” serve as an accurate lie detec-
tor, or pump information directly into the brain. It is
important for stakeholders in this space to delineate
between the current and likely future uses and far-
off notions depicted by science fiction creators, so
that we can identify urgent concerns and prioritize
meaningful policy initiatives. We take seriously the
concerns raised by futuristic potential developments
and keep them in mind as we make recommenda-
tions, but in this paper we focus on the immediately
pressing need to address issues already faced and
likely to be faced in the upcoming decade.
Although the report primarily focuses on the privacy
concerns—including questions about the trans-
parency, control, security, and accuracy of data—
involving existing and emerging BCI capabilities,
these technologies also raise important technical
considerations and ethical implications, related
to, for example fairness, justice, human rights, and
personal dignity.1 These concerns are equally crit-
ical and complex, so this report highlights where
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 3
additional ethical and technical concerns emerge in
various use cases and applications of BCIs. Greater
in-depth discussion of areas beyond privacy war-
rant additional research and careful consideration,
and we hope to turn to those issues in future efforts.
To promote privacy and responsible use of BCIs,
stakeholders should adopt technical guardrails
including:
› Providing on/off controls when possible—
including hardware switches if practical;
› Providing users with granular controls on devices
and in companion apps for managing the collec-
tion, use, and sharing of personal neurodata;
› Providing heightened transparency and control
for BCIs that specifically send signals to the
brain, rather than merely receive neurodata;
› Designing, documenting, and disclosing
clear and accurate descriptions regarding the
accuracy of BCI-derived inferences;
› Operationalizing industry or research-based
best practices for security and privacy when
storing, sharing, and processing neurodata;
› Employing appropriate privacy enhancing
technologies;
› Encrypting personal neurodata in transit and
at rest; and
› Embracing appropriate protective and defensive
security measures to combat bad actors.
Stakeholders should also adopt policy safeguards
including:
› Ensuring that BCI-derived inferences are not
allowed for uses to influence decisions about
individuals that have legal effects, livelihood
effects, or similar significant impacts—e.g.
assessing the truthfulness of statements
in legal proceedings, inferring thoughts,
emotions or psychological state, or personality
attributes as part of hiring or school
admissions decisions, or assessing individuals’
eligibility for legal benefits;
› Employing sufficient transparency, notice,
terms of use, and consent frameworks to
empower users with a baseline of BCI literacy
around the collection, use, sharing, and
retention of their neurodata;
› Engaging IRBs and other independent review
mechanisms to identify and mitigate risks;
› Facilitating participatory and inclusive
community input prior to and during BCI
system design, development and rollout;
› Creating dynamic technical, policy, and
employee training standards to account for
the gaps in current regulation;
› Promoting an open and inclusive research
ecosystem by encouraging the adoption,
where possible, of open standards for
neurodata and the sharing of research data
under open licenses and with appropriate
safeguards in place. A similar open-skills
approach could also be considered for a
subset of direct-to-consumer BCIs; and
› Evaluating the adequacy of existing policy
frameworks for governing the unique risks of
neurotechnologies and identifying potential
gaps prior to new regulation.
Key Terminology
and Definitions
› Neurodata – Data generated by the
nervous system,2 which consists
of the electrical activities between
neurons or proxies of this activity.
› Personal Neurodata – Neurodata
that is reasonably linkable to an
individual.
› Neurotech/Neurotechnology –
Technology that collects, interprets,
infers or modifies neurodata.
› Brain-Computer Interface (BCI) –
Computer-based systems that
directly record, process, or analyze
brain-specific neurodata and
translate these data into outputs
that can be used as visualizations
or aggregates for interpretation
and reporting purposes and/or
as commands to control external
interfaces, influence behaviors, or
modulate neural activity.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 4
INTRODUCTION
Brain-computer interfaces (BCIs) are a prime
example of an emerging technology that is
advancing new areas of human-machine inter-
action. Today, BCIs are primarily used in the health-
care context for purposes including: rehabilitation,
diagnosis, symptom management, and accessibility.
While BCI technologies are not yet widely adopted
in the consumer space, there is a recent interest
and proliferation of new direct-to-consumer neuro-
technologies. The emergence of such technologies
across various sectors poses numerous benefits
and raises significant questions about user privacy.
When connected to the Internet,3 BCIs can be clas-
sified as a type of wearable or implanted instrument
within the Internet of Bodies, a network of devices
connected to, and generating information from, the
human body.4 Such communication has long been
supported by various interfaces, from the keyboard
and mouse to touchscreens, voice commands, and
gesture interactions. As computers become more
integrated into daily human experience, new ways
of commanding computer systems and experienc-
ing digital realities have gained in popularity, with
novel uses ranging from gaming to education.
While BCIs offer benefits from improving patient
health outcomes to providing more immersive and
customizable education, training, and entertain-
ment, the technologies raise many of the same risks
posed by digital home assistants, medical devices,
and wearables. New and heightened risks associ-
ated with privacy of thought also emerge, resulting
from recording, using, and sharing of a variety of
neural signals.5 According to a recent report, con-
sumers list privacy and security as major concerns
regarding neural interfaces, second only to product
safety.6 Sometimes, BCIs must always be on in order
to function properly—particularly in the health and
medical context. Always-on tech can collect more
information than users expect, particularly when
individuals are not provided sufficiently clear and
detailed notice prior to consent. This report explores
how BCIs fit into the broader scheme of next-gen-
eration interfaces, and suggests safeguards to
mitigate potential privacy and security risks.
Because of the emerging-nature of BCIs, it is im-
portant to consider both current and future-facing
privacy and ethical risks based on technical capa-
bilities, use cases, and the current understanding of
neurodata. Along with identifying what neurodata
and personal neurodata are collected by BCIs and
what conclusions or inferences are drawn based on
this data, it is equally important to specify what BCIs
cannot achieve, especially given the current hype
cycle surrounding technologies that can easily
veer into unrealistic, sci-fi territory. At the moment,
BCIs cannot read an individual’s precise thoughts,
accurately determine whether someone is telling
the truth or lying, or directly pump knowledge or
skills into an individual’s brain or make someone
“smarter.” While these capabilities could exist in
the future and warrant discussion and debate, they
are far attenuated from current realities. This report
appreciates the importance of such discussions,
but seeks to focus on the current—and likely, near-
term—capabilities of BCIs discussed in this report.7
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 5
A. BCIs are Computer-Based Systems
that Record, Modulate—or Both Record
and Modulate—Electrical Brain Signals,
Which Can Be Translated Into Outputs
BCIs are computer-based systems that directly re-
cord, process, or analyze brain-specific neurodata
and translate these data into outputs that can be
used as visualizations or aggregates for interpreta-
tion and reporting purposes and/or as commands
to control external interfaces, influence behaviors,
or modulate neural activity. BCIs can be broadly
divided into three categories: 1) those that record
brain activity; 2) those that modulate brain activity;
and 3) those that do both, also called bi-directional
BCIs (BBCIs).8 BCIs that record brain activity are
more commonly used in the healthcare, gaming,
and military contexts. Modulating BCIs are typically
found in the healthcare context. For example, mod-
ulating BCIs are used to treat Parkinson’s disease
and other movement disorders by using deep
brain stimulation to treat the rigidity, slowness, and
resting tremors common in Parkinson’s patients.9
While BCIs technically refer to devices that directly
record or modulate the brain, other related neu-
rotechnologies indirectly record and modulate.
One of the most successful examples of indirect
stimulation is cochlear implants, which help re-
store hearing and suppress tinnitus by modifying
the information that is provided to a compromised
auditory system.10 BBCIs, which both record and
modulate, can be an especially useful rehabilita-
tion tool for spinal injuries or strokes.11
B. BCIs Can be Invasive or Non-Invasive
and Employ a Number of Techniques for
Collecting Neurodata and Modulating
Neural Signals
BCIs can be invasive or non-invasive.12 Invasive
BCIs are installed directly into—or on top of—the
wearer’s brain through a surgical procedure. To-
day, invasive BCIs are used in the health context.
For example, invasive clinical BCI implants have
been used to improve patients’ motor skills.13 Inva-
sive BCI implants can involve a number of different
types of implants. An electrode array called a Utah
array is installed into the brain and relies on a se-
ries of small metal spikes set within a small square
implant to collect or modulate brain signals. New
innovations like neural lace and neural dust are
meant to drape over or be inserted into multiple
areas within the brain.14
Utah array. Image courtesy Wikipedia.
Part I: BCIs are Devices that Can Both Record and Modulate an Individual’s
Brain Signals Through the Collection and Processing of Neurodata
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 6
Other prominent examples of invasive BCIs rely on
electrocorticography (ECoG), in which electrodes
are attached to the exposed surface of the brain to
measure electrical activity of the cerebral cortex.
ECoG is most widely used for helping medical
providers locate the area that is the center of epi-
leptic seizures. This detection helps facilitate more
targeted medical treatment but does not constitute
medical treatment itself.15
In April 2021, Neuralink—Elon Musk’s startup cen-
tered around creating a minimally invasive BCI—
released a video of a macaque monkey playing
a videogame using an invasive BCI.16 Explaining
Neuralink’s invasive BCI prototype, “in a lot of
ways,” Musk said, “it’s kind of like a Fitbit in your
skull, with tiny wires.”17 While the Neuralink de-
vice is still in the prototype stage, the technology
points to a possible future where invasive BCIs are
used for commercial purposes, such as gaming,
entertainment, education, and wellness. Today it
seems unlikely that consumers would be willing
to surgically implant a device into their brain for
commercial enjoyment, cognitive monitoring, edu-
cation, and other direct-to-consumer uses, but only
time will tell whether invasive BCIs for commercial
purposes will eventually become mainstream.
Unlike invasive BCIs, non-invasive BCIs do not require
surgery. Instead, non-invasive uses of BCI-technolo-
gy rely on external electrodes and other sensors for
collecting and modulating neural signals.
One of the most prominent examples of a non-in-
vasive BCI technology is an electroencephalogram
(EEG)—a method for recording electrical activity in
the brain, with electrodes placed on the surface of
the scalp to measure the activity of neurons in the
brain.18 EEG-based BCIs are common in the gam-
ing space in which collected brain signals are used
to control in-game characters and select in-game
items. Another noteworthy non-invasive meth-
od is near-infrared spectroscopy (fNIRS), which
measures proxies of brain activity via changes in
blood flow to certain regions, specifically changes
in oxygenated and deoxygenated hemoglobin
concentrations using near-infrared light.19 fNIRS is
especially prominent in wellness and medical BCIs,
such as those used to control prosthetic limbs.20
Other non-invasive techniques go beyond sim-
ply recording neurodata by also modulating the
brain, which is one reason the term “non-inva-
sive” is fairly contentious, with researchers and
scientists finding the line between invasive and
non-invasive uses of BCIs difficult to draw. For
example, can a device that modulates a brain in
a closed-loop fashion—meaning that neurodata
recorded by the BCI serves as an input in how
the BCI stimulates the user’s neural signals—ever
truly be non-invasive? What about a device that
is not implanted surgically, but still carries the
potential for stimulation? For instance, transcranial
direct current stimulation (tDCS)21 and transcranial
magnetic stimulation (TMS)22 are both used to
modulate neuroactivity in various areas, including
the frontal lobes. Researchers have proposed that
these forms of stimulation may increase memory,
and learning abilities; however, such claims are
still under review.23 Non-invasive neurotechnolo-
gies should not be equated to non-harmful tech-
nologies—just because a device is not directly
implanted to sit on or within the human brain does
not mean that device does not pose unique health
and other privacy and data use risks.24
An example of a non-invasive EEG-fitted BCI device.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 7
BCIs are generally characterized by four components: 25
› Signal Acquisition and Digitization: involves sensors (e.g. EEG, fMRI, etc.) measuring neural
signals. The device amplifies signals to levels that enable processing and sometimes filters
collected signals to remove unwanted data elements, such as noise and artifacts. These
signals are digitized and transferred to a computer.
› Feature Extraction: As part of signal processing, applicable signals are separated from
extraneous data elements, including artifacts and other undesirable elements.
› Feature Translation: Signals are transformed into usable outputs.
› Device Output: Translated signals can be used as visualizations for research or care, or they
can be used as directed instructions, including feedforward commands utilized to operate
external BCI components (e.g. external software or hardware like a robotic arm) or feedback
commands which may provide afferent (conducted inward) information to the user or may
directly modulate on-going neural signals.
An example of these components can be found in the following figure.
human body. For instance, an electromyography
(EMG) sensor is a neurotechnology that can be
worn non-invasively as a wristband26 or inserted
into the human body to indirectly record motor
neurons and their electrical activity in muscles.27
Today this method is typically used to diagnose
neuromuscular abnormalities, but future use cas-
es point to using EMG for detecting an individual’s
intent to move fingers and other appendages for
operating virtual keyboards and other devices.28
While the focus of this report is technologies that
record or influence neurodata from the brain,
neurodata is also found throughout the nervous
system (including from the spinal cord and periph-
eral nervous system) and thus similar but non-BCI
neurotechnologies are being developed that
capitalize on these downstream signals. Other
invasive and non-invasive techniques include
indirectly collecting neurosignals sent from the
brain with sensors placed on other parts of the
Brain
Signals
Signal Acquisition Digitized Signal Processing
Control
Signals
Feedback
Device
Command
EEG
ECoG
Single Unit
Feature
Extraction
Translation
Algorithm
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 8
A Timeline of Interfaces 29
1924First Human EEG Recorded
1968
1973
2005
1998
1982
1973
1969
2019
2018
2016
2012
1952 First Voice Interface
First Virtual Reality Headset
First Successful
Cochlear Implant
The Term “Brain-Computer
Interface” is Coined
First Computer Mouse is
Commercially Available
First Multi-Touch Touchscreen
First Invasive BCI That
Produces High-Quality Signals
First Person to Control an
Artificial Hand Using BCI
Paralysis Patients Control
Robotic Arms Using BCI
First BCI to Restore Sensation to
a Paralyzed Person
Signals from an Invasive BCI
are Accurately Decoded Into
Text with an Error Rate as
Low as 3% When Tested On
Vocabularies Up to 300 Words
BCI Provides Rudimentary
Vision to a Low-Vision Patient
2021 A Paralyzed Man Uses a BCI
to Type with His Thoughts
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 9
C. Recorded Neurodata Becomes Personal
Neurodata When It is Reasonably
Linkable to an Individual
Neurodata is data generated by the nervous
system, which consists of the electrical activities
between neurons or proxies of this activity. These
neurons help carry out tasks, such as comprehen-
sion, movement, and communication. Neurodata
can be both directly collected from the brain, or
indirectly collected from an individual’s spinal cord,
muscles, or peripheral nerve in the form of a down-
stream signal from brain activity or a preparatory
signal prior to brain activity.
At times, neurodata can be personally identifiable
when reasonably linkable to an individual or when
combined with other identifying data associated
with an individual, such as when part of a user
profile. Personal neurodata is neurodata that could
be reasonably linkable to a particular individual.30
The collection and processing of personal neuro-
data can produce information related to an indi-
vidual’s biology and cognitive state. Additionally,
the processing of personal neurodata can lead to
inferences about an individual’s moods, intentions,
and various physiological characteristics, such as
arousal. Machine learning (ML) sometimes plays a
role as a tool for helping determine if a neurodata
pattern matches a general identifier or particular
class or physiological state.
Although identifying individuals based solely on
their collected personal neurodata is likely a difficult
proposition, such identification has been shown to
be possible with relatively little data (less than 30
seconds-worth) within a lab setting,31 and some ex-
perts believe that such identification is feasible if not
today, then in the near-term.32 This possibility has
implications for definitions pertaining to biometric
data, as well as its permitted use. Personal neuroda-
ta can vary in levels of sensitivity, as certain personal
neurodata can reveal seemingly innocuous data
leading to few, if any, inferences about an individual;
health information associated with an individual; or
provide insight into an individual’s private feelings
or intentions. For example, a BCI might reveal what
object a gamer intends to select in a video game,33
which may or may not be innocuous; infer that a
truck driver is becoming less alert while driving,34
which could reveal an individual’s sleeping habits;
or it could reveal whether a patient is depressed,
information pertaining to their health.35
In the future, BCIs could progress into new arenas,
recording increasingly sensitive personal neuroda-
ta, leading to intimate inferences about individuals.
Those arenas include transcribing a wide-range of
a wearer’s thoughts into text, serving as an accu-
rate lie detector, and even implanting information
directly into the brain. These uses are still in the
early research phases and could be decades from
fruition, or perhaps never emerge.36
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 10
D. Both Invasive and Non-invasive BCIs
Pose Technical Challenges for Effectively
Recording Neurodata and Modulating
Neural Signals
Regardless of the technique used, recording and
processing brain signals to derive usable neu-
rodata is a technologically challenging process.
Wired BCIs—typically associated with the clinical
and medical context—include complex wiring that
involves a prolonged preparation time before use,
while wires limit user movements.37
Wireless BCIs avoid some of the hardware chal-
lenges of wired BCIs, but present new challenges
associated with battery life—especially in the case
of health-related BCIs that are intended to be on
and active for extended sessions—and device
weight, comfort, and practicality.38 Other hard-
ware challenges include the need for commercial
non-invasive headsets to record small neural sig-
nals through a physical barrier of hair, skin, flesh,
and bone, all of which can interfere with the signals
and add noise to the data. Meanwhile, invasive
BCIs require expensive, high-risk surgery.39
Once signals are collected, the device must
process and separate actionable nerve impulses
from those that are created by passive activities,
including artifacts derived from the wearer’s mus-
cle movements, eye blinking, and electrical activity
from the heart. Sometimes this extra data is used
in conjunction with BCIs for various purposes, but
these artifacts often have to be removed for neu-
rodata to be usable. Most neurodata derived via
BCIs is noisy (especially in the case of non-invasive
applications) and creating computer systems that
can classify and remove noise is a complex and
cumbersome undertaking.
After actionable signals are gathered and sorted,
ML40 algorithmic models can be applied for clas-
sifying neurodata. This typically involves a calibra-
tion and training process in which a user performs
a number of operations so that the algorithm can
understand the user’s unique neural data that
represent their patterns when performing various
actions. Using ML systems presents its own set
of preliminary challenges such as: whether these
ML systems can classify data better than chance,
whether a particular system is appropriate to
achieve a desired outcome, or whether the system
does in fact accurately conform to a user’s neural
signature, in addition to any ethical and legal risks.
This process of identifying and processing an accu-
rate and meaningful neural signature is something
that researchers are still attempting to master.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 11
This section surveys BCI adoption across sev-
en key sectors: health and wellness; gaming;
education; employment; smart cities; neuro-
marketing; and the military. These sectors repre-
sent areas where consumer BCI technologies are
quickly evolving, and where unique privacy con-
cerns are most salient.41 However, if the past is pro-
logue, individuals and societies will find new and
unexpected uses of technologies as they evolve
and adapt inside and outside of these sectors.
Each sectoral use of BCI technologies examined
below is accompanied by specific benefits and
risks and an analysis of some of the existing laws,
policies, and best practices currently in place that
might safeguard neurodata within a particular
sector. It is worth noting; however, that many of the
benefits, risks, and challenges discussed overlap
across a variety of uses and sectors outside BCIs
and neurotechnologies, such as genetics, biomet-
rics, and AI. While neurodata and BCIs may not be
explicitly mentioned in current law, existing regula-
tions may still be held to apply, even if policymakers
did not contemplate the novel privacy issues asso-
ciated with neurotechnologies. Conversely, new
law may be motivated by the failure of existing law
to contemplate novel privacy issues, such as the
Genetic Information Nondiscrimination Act (GINA)
arising out of a sense that contemporaneous
Part II: BCIs Provide Benefits and Present Risks in a Number of
Sectors Including Health, Gaming, Employment, Education, Smart
Cities, Neuromarketing, and the Military
health law—such as HIPAA—did not sufficiently
contemplate or protect against issues prompted
by genomic technologies.42 Similar regulations
have since been created at state and local levels
in response to increasing usage of biometric data
and associated risks.43
Regulators might recognize a similar need in con-
nection with neurodata, leading to new laws and
standards. But in the absence of amended and
new regulations, developers must consider current
regulations, standards, and frameworks that might
apply to this evolving field or serve as a foundation
for future regulation, guidance, or decision-making
around BCIs. Neurotechnology-specific frame-
works include: the OECD Recommendation on
Responsible Innovation in Neurotechnology44 and
the FDA’s recent guidance on BCIs for Patients
with Paralysis or Amputation.45 Legal frameworks
of note include constitutional and fundamental
rights protection of the right to respect for private
life and confidentiality in some jurisdictions around
the world,46 the protection of personality rights in
Civil Codes in jurisdictions as varied as Germany,
Quebec and, most recently, China,47 the EU’s draft
legal framework on AI,48 as well as comprehensive
data protection laws, such as the California Privacy
Rights Act (CPRA),49 the European General Data
Protection Regulation (GDPR),50 to name a few.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 12
Although these legal frameworks do not pertain to
neurotechnology specifically, given BCI’s integra-
tion with AI and neurodata’s overlap with biometric
data conceptualization, some of this guidance may
be relevant or transferable in the future.
Additionally, there are numerous international
brain initiatives that are working together to not
only better understand the ethical issues and risks
associated with BCI technologies and other neu-
roscience applications, but also publish general
guidance, best practices, and key research ques-
tions regarding these topics.51
A. Health BCIs Diagnose Medical
Conditions, Modulate Brain Activity for
Cognitive Disorder Management, and
Promote Accessibility
Today, health BCIs can improve health diagnosis,
rehabilitation, and accessibility. Current break-
throughs in diagnosis include quantifying fatigue,
identifying depression, and measuring stress.52 Di-
agnostic BCIs can also be especially helpful when
patient responses are unavailable, such as when
patients experience disorders of consciousness,
including locked-in syndrome, whereby individuals
are fully conscious but unable to move, speak, or
explain how they are feeling.53 Current research
efforts focus on BCIs that diagnose condition pro-
gression, such as glaucoma.54
While diagnosis typically involves recording brain
activity, health BCIs are also used to modulate pa-
tients’ brains and nervous systems. Brain modula-
tion is used in numerous ways, including stimulation
for modulating and disrupting seizures for epilepsy
patients.55 Recent advances in health BCI modula-
tion include a vision restoration study to bypass the
eye and the optic nerve to feed images directly to
the brain–resulting in low-resolution vision.56
Other than diagnosis and stimulation, BCIs can pro-
vide increased accessibility. A new generation of
prosthetic limbs rely on BCIs. These neuroprosthet-
ics, or artificial limbs, move in response to thought
stimuli, including the creation of BCI-powered
automatic wheelchairs.57 A non-invasive mind-con-
trolled wheelchair, developed by researchers at
Switzerland’s Federal Institute of Lausanne, can
follow simple directions derived from a BCI and
can assess the area around the wheelchair to nav-
igate its surroundings safely.58 Users of neurotech
wheelchairs think of moving their left or right arm
to direct their wheelchair in their chosen direction.
Recent advancements involve users not needing
to think of specific words like “table” in order to
direct their chair to a nearby object; instead, they
can think of associated activities like eating.59 An-
other noteworthy example occurred in 2019 when
scientists implanted a BCI into the brain of a patient
who was left with minimal movement of his arms
and hands after a surfing accident.60 The invasive
electrodes allowed the patient to control both
left and right robot appendages to perform daily
tasks, such as eating.61 Similarly, BCIs act as tools
for providing haptic feedback or haptic sensory
replacement within prosthetics and exoskeletons
for purposes of patient rehabilitation, regaining
sensation, and an increased ability for patients to
perform previously inaccessible tasks.62
There are also efforts to connect BCIs with smart
devices and IoT (internet of things), which could aid
individuals with neurological disorders or motor
impairments in doing activities of daily living or
interacting with various appliances and devices,
enabling improved or sustained quality of life
through increased accessibility within their home
environment.63
As mentioned previously, BCIs are also starting
to emerge in the commercial wellness space as
a method personal tracking and improving cogni-
tive abilities (such as attention or meditation) and
mental and physical health (such as sleep quality
or fatigue). This is a developing space with open
questions about the efficacy of BCIs as wellness
devices still up for debate.64 Many of these well-
ness BCIs overlap with the gaming and toy space.
The NeuroSky Mindwave Mobile 2: Brainwave
Starter Kit provides the user with information about
their brain’s electrical impulses when relaxing and
when listening to music.65 The product includes an
EEG-fitted headband and connects to companion
apps via Bluetooth.66 The device also provides
training games purported to help improve medita-
tion, attention, and enhance the user’s learning ef-
fectiveness.67 Further, the device includes tools for
players to create their own brain-training games.68
1. Health BCI Risks Include: Security Breaches,
Infringement on Mental Privacy, and
Accuracy Concerns
Security breaches represent some of the most
prominent risks in the health and wellness BCI
space. Some of these security risks are presaged
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 13
by earlier breaches of medical implantable devic-
es. In 2017, half a million pacemakers69 were re-
called because they were vulnerable to hacking.70
Just as pacemakers could be breached, BCIs are
vulnerable to cyber risks, including breaches,71
resulting in potentially severe physical harm to
the patient. In such cases, BCIs run the risk of en-
countering interference—whether by bad actors
or error—that might result in failed communication
around high-stakes medical decisions. Recent-
ly, researchers showed that hackers, through
imperceptible noise variations of an EEG signal,
could force BCIs to spell out certain words that do
not align with what the wearer is thinking.72 The
consequence of this security vulnerability could
range from user frustration to severe misdiag-
nosis. Moreover, breaches of BCIs raise physical
concerns around the sanctity of sensitive health
information that could be captured in a hack.
An equally important risk among health-related
BCIs includes sufficient and verifiable accuracy for
the recording and interpreting of brain signals. High
reliability of medical BCIs is especially important be-
cause inaccurate interpretation or modulation of a
patient’s brain could result in serious consequenc-
es, or even death. Patients relying on modulating
BCIs to help mitigate cognitive disorders, such as
epilepsy, could suffer grave health consequences
should the BCI fail to work as intended. Addition-
ally, patients experiencing locked-in syndrome—
who might be minimally conscious—require BCIs
to accurately convey a patient’s wishes; concerns
are particularly acute when patients rely on BCIs
to communicate crucial information, such as their
choices regarding treatment or even end of life
decisions.73 Accuracy is also crucial in the accessi-
bility context, as prosthetic limbs, wheelchairs, and
other devices controlled via BCIs must operate
correctly and safely according to users’ intentions.
Privacy risks regarding BCI accessibility devices
come from the inferences drawn from conscious
or unconscious intentions of an individual. The
capacity of neural networks that underpin many
of these devices to associate certain thoughts
with directives means that subconscious or caus-
ally-connected intentions may be defined and in-
terpreted by BCIs on a wider scale, leading to new
mental privacy risks. For example, a BCI controlled
wheelchair and its underlying neural network might
not only deduce that the user is thinking about
food, therefore directing the chair to move toward
the table, but also draw other conclusions about
the individual’s biology and preferences, such as
whether or not an individual is hungry or thirsty
and at what times. These additional inferences
capture new information about an individual’s
thoughts, intentions, or interests, many of which
are related to an individual’s specific biology and
unique preferences.
Privacy risks are magnified when these new
inferences are combined with other personal
information about an individual to make decisions
that impact their lives and could interfere with the
autonomy afforded to individuals through the use
of these accessibility BCIs. Organizations collect-
ing and processing these brain signals, leading
to granular inferences tied to an individual, could
have incentive to repurpose this data for adver-
tising or other non-medical purposes, exposing
potentially sensitive biological information to third
parties while running counter to individual notions
of privacy. Additionally, the sharing of patient data
associated with BCI use could potentially disclose
an individual’s previously unknown medical con-
dition to employers, private companies, public
entities, or governments.
2. Some Health BCIs are Subject to Common
Rule Requirements, FCC Oversight, or
International Frameworks
Some of the advancements in health BCIs involve
human subject research, which in certain cases is
governed by a complex regulatory framework. U.S.
researchers whose projects are federally funded
are typically required to obtain subjects’ informed
consent for data collection based on approval from
a Common Rule-based Institutional Review Board
(IRB) prior to undertaking studies.74 In other instanc-
es, such as some research involving open fMRI or
other open neurodata, studies might not require
IRB approval when the data in question involves
secondary data use of de-identified samples.
In addition, wireless IoT BCI devices are likely
subject to Federal Communications Commission
(FCC) oversight because of their designation as
connected wearables.75 However, given the lack
of regulations around consumer wellness technol-
ogies, devices marketed outside of the physician
regulated context—such as brain training games
and meditation-aiding devices like Muse76—may
lack strict oversight. For example, the Health In-
surance Portability and Accountability Act (HIPAA)
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 14
regulates covered entities—such as physicians
and health insurers—that collect, use, process,
and share health information, but does not usually
apply to wellness device companies.
In Europe, the GDPR is the applicable framework
to any processing of personal data for the pur-
poses of scientific research, including where the
research relies on special categories of personal
data, such as data related to health and biometric
data processed for identification. There are sev-
eral lawful grounds for processing under Article
6(1) that would allow the necessary processing
of personal data for BCI research, as well as sev-
eral permissions under Article 9(2) for the use of
sensitive personal data. In some situations, this
could allow data controllers to conduct this type
of research even without individual consent for the
processing of the data,77 specifically when sensi-
tive data is necessary for public health purposes
or for research in the public interest;78 however,
there are many complexities surrounding this sort
of processing, with the European Data Protection
Board (EDPB) expected to adopt Guidelines on
processing of personal data for scientific research
purposes in the following months. Given the com-
plexities surrounding human subject research and
privacy, health researchers and other stakeholders
seeking to develop or adopt BCIs, will need to
understand and verify how the product fits into the
shifting regulatory landscape.
The EU’s recent proposed draft AI regulation79
covers all AI systems, including those relying on
biometric data—and is likely to be relevant for fu-
ture regulation of personal neurodata, significantly
altering the regulatory landscape around BCIs and
neurotech. It specifically focuses on AI systems
that pose high risks to the “health, safety and fun-
damental rights” of individuals. BCIs that might be
considered “high risk” AI systems under the pro-
posed regulation, could trigger requirements prior
to entering the market such as going through a
conformity assessment, adoption of adequate risk
assessment, security guarantees, and adequate
notice to the user, among others.80 If considered
a “low risk” system, organizations would have to
fulfil transparency requirements.81 The full scope
and impact of the EU’s AI regulation on the de-
velopment and use of BCIs remains subject to the
ongoing legislative process.
B. Gaming BCIs Often Augment Existing
Platforms and Controls and Offer
Players New Ways to Play Through
Recording Neurodata
Gaming is one of the most prominent consumer
applications of BCI technology. In turn, advances
in gaming may serve as a dry run for innovations
in other sectors with a more immediate impact on
human wellbeing.
Today, most BCI gaming experiences involve
outfitting existing devices and platforms with neu-
rotechnology. Gaming and entertainment-focused
BCIs were originally created for people with motor
disabilities—and still offer accessible experiences
for that community today—but are now increasing-
ly targeted to the broader population.82 The most
common integration of BCI technology in gaming
involves the player wearing an external device—
often a headband, cap, or plastic arm touching
the player’s forehead—fitted with a non-invasive
neurotechnology, such as EEG. These devices
attempt to record the player’s electrical impulses,
collecting and interpreting the player’s brain sig-
nals during play.
An example of an EEG recording.83
One of the earliest examples of EEGs in gaming is
NeuroSky’s 2007 game The Adventures of Neuro-
Boy.84 With the use of a Bluetooth and EEG-fitted
headset, called MindSet, the game claims to mea-
sure the player’s concentration and stress during
play and provide this information to the player.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 15
Through concentration of thought, the player is
able to move objects in the game, but NeuroBoy
still relies on mouse and keyboard commands for
much of the gameplay.85
Since the advent of games like The Adventures of
NeuroBoy, BCIs in gaming have evolved to where
recording neural signals is now a primary driver for
gameplay, rather than working in tandem with tradi-
tional controls. However, the immersive experienc-
es offered by most of the current applications of
BCI gaming remain limited. Generally, players can
only complete a discrete set of actions with their
thought patterns. Star Wars Force Trainer II comes
with a non-invasive EEG wearable, and the game
claims that players can use their thoughts, or “the
force,” to control a levitating holographic image of
an x-wing.86 EEG wearable games like Star Wars
Force Trainer II cannot accurately detect when the
player is thinking about specific directions such
as “up” or “down” but rather assigns these move-
ments to an arbitrary set of brain signal patterns,
which inform the player’s neural signature.
Games involving BCIs are not limited to single-play-
er experiences, but have applications pointing to
a future of multiplayer and social games. Cornell
University researchers developed BrainNet, the
first multi-person non-invasive brain-to-brain inter-
face (BBI).87 In BrainNet, three participants, outfit-
ted with external EEG and TMS caps, play a game
similar to Tetris.88 Two of the players can see the
entire game screen, while the third can only see the
block at the top of the screen. The two players who
can see the entire screen “send” neurodata to the
third player about how they should rotate the block
to complete a row. The third player “receives” the
neurodata and then sends a command via nerve
impulse to the game, indicating whether or not to
rotate the block. While not yet widely available,
this type of collaborative gameplay increases the
potential for a more interactive BCI gaming experi-
ence. Moreover, BBI interfaces could unlock a new
method for completing collaborative tasks and
communicating outside the realm of gaming.
Other innovations in BCI gaming involve augment-
ing platforms with BCI technology. This form of aug-
mentation is most common today in the extended
reality (XR) gaming space. Extended reality is the
umbrella term used to describe augmented real-
ity (AR), virtual reality (VR), and mixed reality (MR)
technology.89 Today, when BCIs are integrated into
XR technology, it is typically through the use of a
headset called a head-mounted display (HMD). In
the BCI context, HMDs are fitted with electrodes
which non-invasively collect neurodata needed for
gameplay without the use of cumbersome technol-
ogy or dozens of EEG electrodes.90 Companies like
Neurable are developing their own HMDs outfitted
with EEG electrodes and software compatible with
other HMDs outfitted with the EEG electrodes.91 In
Neurable’s first demo, Awakening, the player as-
sumes the role of a psychokinetically-gifted child
who must escape from a government prison.92
Through recording the player’s electrical brain
impulses, the BCI HMD lets the player choose be-
tween a host of objects to escape from prison and
advance through the game.93
The future of BCI gaming may provide fully-immer-
sive experiences where the player can initiate a
diverse set of in-game actions with their conscious
thoughts. Here, the player’s neurodata would be
collected and combined with other biometric or
physiological information derived from their ges-
tures,94 eye movements,95 facial expressions,96
breathing,97 and heartbeat.98 OpenBCI99 is cur-
rently developing Galea, a software and hardware
platform that uses existing HMDs, most notably the
Valve Index. The device collects neurodata along
with data from the wearer’s heart, skin, muscles, and
eyes through a number of sensors with the initial
goal of providing developers the tools to explore
further integrating this data into future projects.100
Other future advances in BCI gaming will prioritize
social interaction with other players. Immersive
games will continuously record and process neu-
rodata and other physiological data to respond and
adjust in real time—or after the fact during a later
experience—to a player’s expressed mood and skill
level.101 Some game developers predict that immer-
sive gaming BCIs will be able to modulate players’
brains to alter moods during gameplay as well as
providing “better than real visuals” in games.102
1. Gaming BCI Risks Include the Involuntary
Collection of Neurodata, Which Could Lead
to Granular User Profiles that Result in
Decisions Potentially Impacting and Limiting
the User Experience
Key privacy risks associated with BCI gaming are
less about user identifiability, but rather manifest
from the inferences about a user’s psychology and
preferences and how organizations might make
decisions based on these inferences. These risks
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 16
are especially prevalent when augmenting existing
gaming platforms, particularly VR, with BCI and
neurotechnology sensors. In VR, data is collected
about the immersive digital world in which a user
is interacting. When combining a user’s real-time
neurodata with the content a user is currently ex-
periencing in VR, a profile can be built about an
individual in which inferences can be drawn about
a user’s responses to the virtual content they are
being served.
Brittan Heller has coined the term “biometric psy-
chography,” which describes the notion of com-
bining collected biometric or biological data with
information about the virtual stimuli encountered
by the user to produce inferences about the user’s
psychology.103 For instance, changes in recorded
neurodata throughout a user’s play session could
lead to conclusions about whether particular
content excites, arouses, induces fear, or psycho-
logically impacts a user. Further, when neurodata
can be combined with other biological data which
produces inferences about a user’s psychology,
including changes in pupil size, timing and direc-
tion of eye gaze, changes in skin temperature,
and changes in heartbeat, increasingly detailed
profiles reflecting a user’s psychological response
to content can be inferred.
Unlike other biological indicators, neurodata could
provide potentially heightened sensitive details
about an individual’s psychology collected directly
from the brain in real time to gain insight into a
user’s intent or neurological reactions. In turn, AI
and machine learning models can be trained on a
user’s brain signals—in combination with other bi-
ological changes in response to content—allowing
organizations to associate user-specific changes in
neural signals to certain physiological states, such
as arousal. Moreover, changes in brain signals
might be even more involuntary than something
like eye gaze, which a user has the option of con-
trolling, unlike their electrical neurosignals.
Risks are magnified when decisions that impact
the user are influenced by company or third-party
deduced neurodata inferences. Decisions could
include: which content to serve to a user, which
ads a user might view during BCI gaming, and oth-
er activities across the Internet based on a user’s
involuntary brain signal responses. Beyond ads,
there are genuine concerns that one’s neurodata
could be used to expose vulnerabilities that could
be exploited by nefarious actors who purposefully
target digital spaces that cater to children (e.g.,
human trafficking).104
Today, content recommendations are seen across
gaming, streaming, and other online services.
Currently, the service of content is based on a
voluntary action by the user, such as listening to
a particular song or viewing a particular video,
visiting a certain website, or “liking” a post on
social media. In the case of BCI gaming, content
may one day be served based on involuntary
neurological responses of the user. Therefore, the
types of content—including ads—served to users
can be determined not only by their voluntary en-
tertainment consumption, but further determined
by involuntary inferences resulting in increasingly
granular profiles about individuals. Additionally,
content served to users based on increasingly
granular profiles including their brain signals could
be shared with third parties for advertising or other
purposes, further tailoring the experience users
have across the Internet—sometimes without user
knowledge or consideration of user wishes.
Another concern about inferences resulting from
the collection of neurodata is whether or not these
inferences are accurate, especially given the na-
scent and limited utility of non-invasive BCIs today.
When the inferences about a user’s psychology
are especially accurate, providers run the risk of
serving content so reflective of a user’s interests
that it could promote severely addictive gameplay
or desensitization to various forms of entertain-
ment or interaction, and other potentially unhealthy
habits. When these inferences are inaccurate, pro-
viders run the risk of turning off certain users from
enjoying content and serving them content and
ads that do not comport with, or at times offend,
their interests. Whether these inferences are accu-
rate or not, increasingly granular profiles dictating
which content to serve, or not serve, a user could
result in enhancing the division and filter bubbles
found online today. Moreover, if these inaccurate
inferences are sold to third parties for non-adver-
tising or non-gaming purposes, there could be op-
portunities for impermissible discrimination across
a wide variety of other domains.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 17
2. Some BCI Gaming Applications are Regulated
by Children’s Privacy Regulations or General
Biometrics Laws
A regulation that could uniquely impact BCI gaming
in the United States is the Children’s Online Priva-
cy Protection Act (COPPA). Many games, including
some of the games described above, are directed
to children under the age of 13 and as such the
personal information collected is covered by the
Children’s Online Privacy Protection Act (COPPA).105
COPPA applies to “operators’’ of online services
directed to children under 13 or those who have
actual knowledge that they are collecting, using,
or disclosing personal information from children
under 13. COPPA provides parents and guardians
with a number of rights over their children’s per-
sonal information, including access to the child’s
information and deletion rights over the data. The
law places a number of requirements on organiza-
tions such as posting a clear privacy policy on their
website, providing direct notice to parents, obtain-
ing parental consent before collecting information
from children under 13, and enacting reasonable
security to protect the child’s information.
While biometric information, including neurodata,
is not explicitly covered under COPPA, children’s
neurodata, if used to identify a particular child,
could be swept into the law as a “persistent identi-
fier,” which is covered under COPPA. Additionally,
the Federal Trade Commission (FTC) is currently
considering amending COPPA to include biometric
data.106 It is yet to be seen whether biometric data
will be swept into a new iteration of COPPA, and
whether the definition of biometrics would cover
neurodata. Regardless of whether neurodata will
be specifically covered under COPPA, developers
should be aware that BCI games and other toys
that connect to the Internet that collect children’s
other personal information, such as name, ad-
dress, image, or audio recording could potentially
fall under COPPA.
Other potentially applicable laws in this space
are certain state biometric laws, which provide
a number of rights to individuals over their data
and place requirements on companies collecting
biometric data, including but not limited to: prohi-
bitions on collecting, processing, using, or sharing
biometric information without prior opt-in consent;
data security requirements that meet industry stan-
dards; and (in the case of the Illinois law) the ability
for individuals to bring private rights of action for
violation of the law. However, none of these laws
explicitly cover neurodata. Some state biometric
laws define biometrics narrowly and are less likely
to be interpreted to cover neurodata as written to-
day. For instance, the Illinois Biometric Information
Privacy Act (BIPA) defines a biometric identifier as
being limited to: “a retina or iris scan, fingerprint,
voiceprint, or scan of hand or face geometry.”107
Other state biometric laws such as the Washington
law (WASH. REV. CODE § 19.35.010) define biomet-
ric identifiers more broadly as “data generated by
automatic measurements of an individual’s biologi-
cal characteristics, such as a fingerprint, voiceprint,
eye retinas, irises, or other unique biological
patterns or characteristics that are used to identify
a specific individual.”108 State biometric laws with
broader definitions of biometric identifiers, like that
in Washington state, could cover personal neuro-
data if it is used as an identifier.
Additionally, comprehensive privacy laws, such as
the EU’s General Data Protection Regulation (GD-
PR)109 and the California Privacy Rights Act (CPRA)110
could cover personal neurodata with their broader
definitions of biometric data. However, current laws
that could cover personal neurodata are framed in
terms of the ability to identify an individual based
on biometric data. Concepts such as “biometric
psychography” and accompanying inferences may
not be interpreted as covered under these laws.
C. Employment and Training BCIs Can
Monitor Employee Engagement During
High-Risk Tasks, Report Employee
Cognitive Data to Employers, Modulate
Employees’ Neural Signals to Improve
Their Abilities, and Provide New Tools to
Efficiently Complete Tasks
One of the most prominent uses of BCIs in the
employment and industry context is measuring
engagement during high-risk tasks. Engage-
ment-measuring technology is marketed for jobs
where attention is crucial for performance and pre-
vention of physical harms, such as those in sports or
transportation. One noteworthy engagement-mea-
suring BCI is Life, developed by Smartcap,111 which
features an EEG headband that fits inside hardhats,
trucker caps, and other headgear that notifies
truckers and employers when they are drowsy or
inattentive while driving.112 Life and similar technol-
ogies are intended to combat the estimated 70% of
trucking accidents caused by fatigue.113
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 18
Other engagement-measuring BCIs combine
neurodata with other biometrics to measure and
encourage employee engagement. AttentivU is
a pair of glasses fitted with both EEG electrodes
measuring neurodata and sensors for tracking eye
movements.114 The technology combines these
data streams to draw conclusions about the wear-
er’s fatigue, engagement, and cognitive load. The
device indicates to the wearer when their attention
level changes through audio feedback and a con-
nected vibrating scarf.
Other BCIs in the employment context are used
to collect information related to workers’ moods.115
In some Chinese factories, state-owned compa-
nies, and various transport contexts, workers are
required to wear BCI headsets that collect neuro-
data to measure not only their attention, but also
sudden negative mood changes like acute anxiety,
rage, or pronounced distress.116 Similarly, one
could imagine a sort of “HR dashboard”117 in which
employee engagement or moods are accessed by
management who could use this data for purposes
such as gauging efficiency, managing workloads,
worker happiness levels, or use this data to make
employee hiring, firing, or promotion decisions.
Additional research efforts are underway for the
development of BCIs as lie detectors.118 While
much of this research is occurring in the law en-
forcement, government, and military space, these
technologies may have implications in the private
sector, especially for employees who work on con-
fidential projects.
Modulating BCIs in the employment space are tout-
ed as a tool for improving workers’ performance
and ability to multitask in fast-paced environments
through the use of transcranial direct current stim-
ulation (tDCS), developed by companies such as
Caputron.119 tDCS involves a headset fitted with
electrodes inside sponge inserts that conduct
electricity from the wearer’s scalp.120 While the use
of tDCS is not yet widespread in the employment
context, some early tests show that the technology
could enhance multi-tasking efficiency by approx-
imately 30%.121
Some forecasts suggest BCIs will be used for job
training by requiring invasive BCI technologies,
which are directly installed into the user’s brain.122
Elon Musk’s Neuralink company promotes the
aspirational goal of installing “neural lace,” con-
sisting of many tiny electrodes, into the brain.123
A tissue-like lace overlay that drapes over parts
of an individual’s brain would have numerous ad-
vantages over devices that only pick up signals in
certain regions. Such an overlay could yield a more
fulsome representation of the wearer’s thoughts.
Further, invasive implants could avoid some of the
safety pitfalls of non-invasive devices that have the
potential to break blood vessels or injure tissues.
However, invasive implants necessarily involve
surgery, which comes with its own set of risks.
One of Musk’s goals is to make Neuralink users,
whether they use the neural lace technologies
or another variety of BCI, “smarter” by improving
memory and aiding decision-making, crucial during
a high-pressure or time-sensitive task. While these
innovations appear far from fruition, Neuralink is
currently testing neural lace technology on ani-
mals, and is planning to conduct its first human
tests in 2021.124 Additionally, early work has shown
that certain BCIs might enhance episodic memo-
ry—the ability to recall and reexperience memories
from the past.125
Other non-invasive neurotechnologies show prom-
ise in enhancing employee abilities. Companies
like Facebook are looking to integrate non-invasive
EMG wristbands into emerging technologies, such
as virtual or augmented reality, which can collect a
user’s motor neurons to capture a user’s intent to
move their fingers or other appendages.126
Additionally, researchers developed an invasive
BCI that allows users to type by thinking about
writing specific letters.127 While this technology is
far from mass market—and given its invasive na-
ture might be best suited to provide accessibility to
patients with paralysis—such technological break-
throughs could have widespread impact on the
employment landscape. This could result in users
performing tasks such as typing with their minds
at a faster rate than the dexterity of their hands
would typically allow. Such devices might one day
change how workers send emails, code programs,
or communicate with colleagues.
1. Employment BCI Risks Include: Eroding Worker
Privacy While Chilling Behavior, Making
Impactful Decisions About an Employee Based
on Inaccurate Science, A Lack of Employee
Control Over Their Neurodata, Workers
Questioning Their Identity; and More
BCIs that monitor employee engagement during
high-risk activities might effectively promote safety
and save lives. However, such technologies could
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 19
compromise employee privacy and autonomy.
An employee who is knowingly being monitored
might increasingly distrust their employer, lose
morale, or chill their behavior—including union
organizing.128 On the other hand, some might view
the collection of a limited neurodata set for safety
purposes as less privacy-invasive129 than other
technologies like in-vehicle cameras.130 However,
even if the collection and analysis of neurodata
is less privacy-intrusive (a claim very much up for
debate), employees might have equal or greater
feelings of being surveilled given the nascence,
opacity, and complexity of a technology recording
data from their brain.
Privacy questions also emerge around whether
the employee, employer, both, or neither ultimately
should have control over employee neurodata. This
is further complicated when an employer institutes
a bring your own device (BYOD) policy, in which
case the employee might own their own device,
but the employer might have control—in full or in
part—of the employee’s associated neurodata.
Comprehensive privacy laws, such as the CPRA,
provide a number of rights to individuals as con-
sumers over their personal data—such as the right
to access, correct, delete, or export their personal
information—but do not currently extend these
same rights to employees. However, the CPRA will
be extending its protections to employees begin-
ning in 2023. A lack of employee control over their
data could further erode employee trust, reduce
autonomy, and open the door for recorded neu-
rodata to be used for purposes unrelated to their
employment, such as building advertising profiles.
Their data might also be used for purposes which
could inadvertently violate worker privacy involv-
ing health data (e.g. influence insurance coverage)
or litigation (e.g. workman’s compensation).
Relatedly, many risks stem from the ability—or lack
thereof—of employees to consent, or not, to being
monitored or having their brains modulated. Even
in situations where employers will only monitor or
modulate employees’ neurodata upon obtaining
express consent, inherent power imbalances be-
tween employers and employees create a dynamic
where employees could be less willing to refuse
to consent, or opt out, of monitoring for fear of
retaliation, losing out on a promotion, or reducing
chances for a raise. There is also the concern of
fairness between employees based on their choice
to use the technology or not, since a disparity in in-
formation and engagement by employees who opt
in vs. those who opt out could make it more difficult
to equitably judge performance between workers.
Risks around employee monitoring are further
heightened when employers make decisions
about employees based on this data. Decisions
based on the collection of employee neurodata
could include disciplinary measures, hiring and
firing decisions, and other potentially adverse
actions. Concerns are exacerbated as experts
have questioned the accuracy of some emotion
detection131 technology using neurodata or other
biometric inputs,132 meaning that employees could
be unjustly punished or inappropriately rewarded,
based on inaccurate and unproven science. Ad-
ditionally, emotion detection is gaining traction in
the US in contexts such as job recruitment,133 which
could include the collection and analysis of neuro-
data in the near future.
Employees who use stimulating BCIs to enhance
cognitive and work performance might question
their own identity and psychology.134 Studies have
shown that the emotional or behavioral changes
in patients might cause them question whether
their psychological state is attributable to the BCI
or themselves.135 Workers questioning their identity
could reduce or confuse their sense of agency, their
capacity to make decisions, and their identity as hu-
man beings both in and outside of the workplace.136
2. Workplace Monitoring, Collective Bargaining,
and Employee Privacy Laws Apply to BCI Use
in Some Employment Contexts
Workplace monitoring laws place limitations on
some types of BCI-based employee monitoring.
The Electronic Communications Privacy Act (ECPA)
prevents employers from monitoring employees’
personal phone calls but allows them to monitor
“workplace communications,” especially when
those conversations take place on company
devices like company-owned computers and
telephones.137 Existing anti-discrimination mea-
sures, including the Americans with Disabilities Act
(ADA),138 may restrain employers who would use
the results of a BCI that reveals a disability in hiring
or firing decisions.
U.S. law grants employers broad leeway in defining
workplace privacy policies for at-will employees.
By contrast, unionized employees, which comprise
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 20
roughly 11% of the total American workforce, often
stipulate enhanced workplace privacy protections
as part of collective bargaining agreements.139
The types of protections vary depending on the
circumstances, but they typically limit the use of
workplace monitoring systems known as “man-
agement by algorithm,” which are new forms of
monitoring and surveillance using data generated
by workers—potentially including neurodata—that
could exacerbate discrimination and systemic
inequality.140 The GDPR recognizes the inherent
power imbalances between employee and em-
ployer for activities such as employee monitoring
by noting that consent can only serve as a lawful
basis for processing employee personal data un-
der exceptional circumstances.141
The use of BCIs as lie detectors in the employment
space remains limited, but there are federal laws
that specifically protect employee privacy in a nar-
row manner. The Employee Polygraph Protection
Act protects potential employees (absent some
exceptions) from hiring or firing practices on the
basis of a lie detector result.142
Other regulations of note include state microchip
laws, which generally prohibit employers or organi-
zations from requiring employees to be implanted
with microchips.143 Today employers are not requir-
ing or offering that employees install invasive BCIs
or other neurotech into their brains, but there are
non-neurotech examples of employees who have
the option of being “chipped” by employers.144 Or-
ganizations engaged in employee tracking should
be cognizant of these microchip laws and should
consider how a future, invasive BCI would be cov-
ered under these legal regimes.
D. BCIs in Education Record Neurodata
to Help Inform Individualized Learning
Models and Provide Real-Time Feedback
to Students and Teachers on Student
Engagement and Progress
Proponents of BCIs in education argue that BCIs
can help students in both K-12 and higher education
learn, retain information, pay attention, increase
empathy, and improve academic achievement.145
Recent developments in educational BCIs are cited
as helping optimize students’ workload and curricu-
lum difficulty in response to individual needs.146 It is
widely recognized that learning is optimized when
educational materials map to a student’s cognitive
strengths.147 Digital learning environments imple-
menting BCI technology would gather neurodata
from students using EEG, and estimate the difficulty
of workload based on a student’s brainwaves.148
The tools can then adapt the difficulty of assign-
ments in real time to maximize learning. One of the
celebrated elements of customized learning occurs
when the material meets the “Goldilocks test,”
which measures task achievement as neither too
easy nor too difficult, but just right.149
Addressing a different aspect of learning, some
education technology companies are developing
BCIs that measure students’ classroom attention
levels. For example, BrainCo, Inc. is developing
BCI technology that involves students wearing
EEG-fitted headbands in class.150 The students’
neurodata is gathered and displayed on a teach-
er’s dashboard which is said to provide insight into
student attention levels. Student metrics may also
be shared with students’ parents, keeping them up-
to-date on their children’s performance in class.151
1. Educational BCI Risks Include: Making
Decisions About Students’ Cognitive Abilities
Based on Inaccurate Inferences, Chilling
Student Speech, and Perpetuating Injustice
A major risk in the education field arises from in-
accurate or incomplete neurodata used to make
inferences about students’ cognitive abilities.152
In many ways these concerns mirror those found
in the employment space. Measuring a student’s
brain signals to gauge attention levels or ability
to grasp certain material using inaccurate and
not well-understood data, and then using this
information for making important decisions about
a student’s engagement, achievement level, or
academic potential could result in miscategorizing
a student as either a strong or struggling student.
Neurodata can be unreliable or inaccurate for a
number of reasons such as: poorly fitting devices;
devices not containing enough sensors; sullying
the quality of a dataset from facial or body move-
ments; or faulty, not well understood, and not well
tested underlying science. This could put students
at risk for incorrect penalties for inattentiveness
or other perceived behaviors. Further, requiring
students to wear EEG headsets might “chill” a
student’s speech (or thoughts) if they feel they
are being surveilled, as previous studies on the
effects of being monitored have shown. Moreover,
feelings of being surveilled could reduce student
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 21
and parent trust in the school and the educational
system as a whole.
This chilling of speech could be doubly true for
students with a perceived history of acting out in
school, students who are particularly vulnerable,
have learning differences such as ADHD,153 strug-
gle with mental health, or come from communities
heavily surveilled by law enforcement or others.
This could be especially true when BCIs are used
exclusively or disproportionately among certain
subgroups of students or in disciplinary settings,
such as detention.154 The Health Advanced Re-
search Projects Agency (HARPA),155 has looked
into surveilling students’ social media activity. This
sort of school safety measure in combination with
neurodata could lead to further limiting students’
need to appropriately “vent” online, or drawing
inaccurate conclusions related to the content
posted online by students. While educational BCIs
are sometimes touted as leveling the playing field
for students, disproportionate use of BCIs, or BCIs
used among certain groups of students could
increase rather than relieve injustice. Moreover,
the tracking of student’s cognitive processes and
taking action based on this tracking could lead to
further stigmatization of learning differences or
mental health concerns.156
2. Federal, State, and Local Student Data Laws
Typically Place Requirements on Schools and
Neurotech Companies Collecting, Using, and
Sharing Personal Neurodata, While Granting
Rights to Students and Parents
While BCIs may introduce unprecedented collec-
tion and sharing of neurodata in the education
context, there are dozens of privacy regulations
that touch on education privacy at the local, federal,
and international level. Currently, all 50 states and
Washington, DC have introduced student privacy
legislation, each with its own requirements.157 Not all
of this legislation would have bearing on BCIs, how-
ever, schools, teachers, and BCI companies should
be cognizant of the applicable laws and provisions
in each state where the technology is used. In ad-
dition, stakeholders should be aware of school and
district-specific policies and best practices govern-
ing student data as well as the concerns of parents
and school boards. Developers and purveyors of
BCI technologies should proactively and transpar-
ently communicate their practices to engage and
empower parents and community leaders.
At the federal level, there are a variety of privacy
regulations that specifically impact education. One
of the most relevant is the Family Educational Rights
and Privacy Act (FERPA),158 which protects education
records at all schools that receive federal funding.159
Education records contain information directly relat-
ed to an individual student and are maintained by
an educational agency or institution or by a party
acting for the agency or institution. In certain con-
texts, a student’s personal neurodata could be part
of an education record falling under the protection
of FERPA—which includes biometric records.160
Parents and guardians hold a number of rights over
their children’s data (students themselves hold these
rights when over the age of 17), while restrictions are
placed on school officials maintaining education
records.161 For example, school officials might not be
permitted to disclose personal neurodata collected
from students to third parties without express con-
sent from parents and guardians.
E. Research Efforts are Underway for
Integrating BCIs Into Smart Cities
and Communities for Enhanced
Communication for Construction and
Public Safety and for New Methods of
Control for Connected Vehicles
One of the more future-facing sectors for BCIs is the
smart cities and smart communities162 space where
researchers look to integrate BCIs into smart vehi-
cles and urban planning and construction design.
In the US today, technological mapping of public
and private spaces is becoming ubiquitous, and
a number of emerging technologies have already
entered the smart city arena.163 For example, sen-
sors and other technologies are increasingly inte-
grated in: transportation including smart cars and
bike share services; utilities including smart power
grids and smart water meters; telecommunications
including public broadband; government services
including gunshot detectors and parking monitor-
ing; and environmental monitoring including smart
trash cans and environmental sensors.164 In the
future, neurotechnologies could serve as another
set of sensors—in this case collecting neurodata—
for aiding city and transportation efficiency, public
safety, and energy monitoring.
BCI research is increasingly focused on integration
into smart cities and communities for enhanced
communication promoting efficiency and safety.
For example, Neurable165 and Trimble,166 recently
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 22
announced that they are utilizing BCIs alongside
technologies like GPS to provide training and
safety services for the transportation, architecture,
engineering, and construction industries.167 Such
technologies could provide voice-free and hands-
free communication interaction between construc-
tion workers and engineers, while also providing
analytics for tracking training efficiency and worker
and citizen safety.168 Firefighters, paramedics, and
other public protection workers could benefit from
this technology, and could operate as members of
an integrated team if able to directly collaborate
with one another via BCI.169 One could imagine fire-
fighters operating in conjunction, and with greater
safety, if they could communicate in real time with-
out the need for a voice interface, or in the case
of voice and other communication outages. Similar
research into BCIs as communication devices is
prevalent in the military context with projects such
as Silent Talk, allowing soldiers to communicate via
neural signals without the need for verbal speech.170
Other BCI research focuses on transportation. As
early as 2014, researchers proposed a prototype
for a Bluetooth-enabled BCI that could control
a smart car.171 Research and prototypes involving
BCIs for connected vehicles is still in the early
phases.172 But as the connected vehicle landscape
expands, BCIs and other neurotechnology could
be increasingly integrated into connected vehicles
for purposes such as vehicle control or monitoring
drivers’ attention levels behind the wheel. Recent
innovations include Hyundai’s Mr. Brain project,
which is designed to measure a driver’s attention
through collecting brainwaves using an earpiece
sensor.173 The device can be connected to a com-
panion smartphone app that notifies the driver
when they are losing their concentration.174
Moreover, research into BCI-controlled drones is
currently underway.175 The ability to control smart
cars, drones, or other vehicles could promote ac-
cessibility to those who lack the motor functions to
control vehicles today and could promote safety
by monitoring driver fatigue levels and warning
drivers when they are drowsy behind the wheel.
1. Privacy Risks of BCIs in the Smart Cities
and Communities Space Include Increased
Surveillance, Public Safety Concerns, and
Exacerbating the Digital Divide
Near-term BCI innovations in smart cities will likely
augment existing sensors, potentially heightening
existing privacy concerns in the smart cities con-
text. A major flashpoint in the privacy debate today
relates to both public and private surveillance of
communities, especially those that have been
historically surveilled and over policed. Advocates
have pinpointed technologies such as facial rec-
ognition, license plate readers, cell site simulators,
and drones as more privacy invasive than tradi-
tional surveillance technologies such as cameras
or wiretaps with the power to locate a vehicle,
device, or person among a crowd of many with the
potential to gather associated metadata, personal
information, or content of communications. Privacy
risks are magnified when these technologies are
deployed in historically surveilled communities by
reducing individual privacy rights, chilling speech,
eroding public trust, and perpetuating systemic
inequalities related to race, social status, gender,
national origin, and other sensitive attributes.
Integrating neurotechnology sensors into commu-
nity architecture, vehicles, and the public square
could lead to the collection, storage, and sharing
of neurodata by law enforcement for surveillance
purposes. Combining neurodata with other person-
al information could lead to even more invasive sur-
veillance than individuals are currently experiencing.
Other concerns emerge around public safety. Early
prototypes of vehicles controlled fully, or in part,
by an individual’s brain signals cannot be operated
with the same precision as vehicles controlled with
steering wheels, controllers, or other haptics. It is
unlikely that vehicles controlled solely by the mind
will enter the market in the near future, but new
public safety questions will emerge around vehi-
cles controlled by BCIs.
Concerns related to the exacerbated digital inequi-
ty could also be prevalent in the smart cities space.
Communities that are already more connected and
have adopted smart city technology will be more
likely to have the infrastructure in place and re-
sources available to implement BCIs in public. On
the other hand, communities that lack these same
technological investments are less likely to be
early adopters and could fall further behind, only
increasing the digital divide at national (wealthy vs.
low-income neighborhoods and communities) and
international (global north vs. global south) levels.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 23
2. BCIs in Smart Cities Are Starting to be
Governed176 by a Mix of Legal Frameworks
While companies developing smart cities technol-
ogy are responsible for complying with privacy,
security, and other related regulations, ultimately it
is often up to local governments to regulate emerg-
ing technology integrated into modern, connected
communities. Local laws, ordinances, and frame-
works contain their own idiosyncrasies, often vary
between localities, cities, and states, and sometimes
are written to align with the particular values of their
communities. However, it is important to recognize
that local ordinances and regulations are sometimes
subject to preemption by state or federal regulation.
On the international level, laws governing smart cit-
ies technology could contain vast differences, often
highly dependent on differing cultures and gov-
ernment systems. For example, cultures that place
a greater emphasis on individual freedom might
codify individual rights and obligations on emerging
technologies differently than communities that place
a greater emphasis on collective wellbeing. Smart
city infrastructure and associated emerging gover-
nance are already complicated at the baseline, and
the potential integration of BCIs into this space will
only make technical and regulatory considerations
more complex. As such, it remains to be seen how
the BCI smart city landscape will unfold and what the
ultimate privacy implications will be.
F. Neuromarketing Involves Recording
Neurodata to Gain Insight Into
Individuals’ Reactions, Preferences,
and Motivations When Encountering
a Product or Service
Neuromarketing generally refers to collecting physi-
ological and neural signals for the purposes of learn-
ing about individuals’ reactions, mood, preferences,
and motivations when purchasing or using a product
or service.177 Neuromarketers typically use two brain
scanning methods—functional magnetic resonance
imaging (fMRI) and EEG.178 fMRI offers researchers
deeper and potentially more accurate insights into
how consumers make decisions based on various
stimuli than the more accessible and less expensive
EEG methods.179 In one well-publicized study using
fMRI scanning, participants were asked to drink unla-
beled soft drinks.180 Absent brand cues, participants
displayed little preference for either Coca-Cola or
Pepsi; however, when given brand cues around
which beverage they were drinking, participants
displayed heightened brain activity in areas correlat-
ed with recall and memory.181 These tests revealed
positive feelings like nostalgia when it came to the
participant’s preferred drink.182 Understanding why
individuals choose the products and services that
they do poses untold benefits for advertisers.183
Where fMRI is too inaccessible or expensive, neuro-
marketers turn to less accurate, but more accessible,
portable, and less expensive EEG methods.184
Often in tandem with fMRI or EEG technology, neu-
romarketing researchers gather information from
sources other than direct neural signals. Alterna-
tive tracking methods include: eye tracking, pupil
dilation, skin conductivity, and facial expression
coding as a way to quantify attention, arousal, and
psychology. When neurodata is combined with
these other inputs, the advertising profiles tied to
individuals will become increasingly granular and
more attractive to advertisers, third parties, and
other stakeholders in the advertising technology
ecosystem looking to share, sell, and place more
impactful behavioral ads to these individuals
across the Internet.
1. Neuromarketing Risks Include the Repurposing
of Personal Neurodata for Advertising, Promoting
Addicting or Unhealthy Behaviors, and
Inadequate Consent When Collecting or Sharing
Involuntary Neurodata Due to Poor Transparency
The adoption of BCIs across numerous sectors
could pose unprecedented privacy risks within the
ad tech ecosystem. While granular user profiles for
advertising purposes exist today, adding neuroda-
ta would further animate already detailed profiles,
revealing more details about a particular individual
and inferences about their preferences. Many BCIs
across various sectors, by their very nature, collect
personal neurodata. Organizations collecting and
retaining personal neurodata—and other related
information—for various purposes could be incen-
tivized by advertiser dollars to share or sell this
data for advertising.
Further, the use of neurotechnologies in marketing
could provide stakeholders insight into new and
sensitive inferences about an individual’s sexual
preferences, arousal, health, and other especially
sensitive details. Not only could this offend individ-
uals’ notions of privacy, and erode user trust, but
could incentivize the further collection of especially
sensitive information encouraging the creation of
increasingly granular, and sensitive, profiles sought
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 24
after by advertisers for delivering more impactful
behavioral ads. If taken too far, granular and accu-
rate profiles could lead to serving advertising con-
tent which encourages addictive activities related
to content consumption, gameplay, gambling, or
promoting unhealthy habits. Granular profiles built
from inaccurate biometric data collection can also
lead to inaccurate conclusions about individuals
and can falsely target advertising content to them.
Additionally, the privacy risks and associated con-
sequences could extend well beyond frustration or
annoyance when advertising profiles are shared
or sold to third parties for purposes other than
advertising. One could imagine a scenario where
impactful decisions could be made about individ-
uals based on advertising profiles, such as health
care premiums determined in part by a users’ pref-
erences for a “healthy” or “unhealthy” diet based
on both buying decisions and how their neurons
react to certain food.
Moreover, mood and eye tracking software—as it
exists today—can collect involuntary responses of
a user in reaction to stimuli. Involuntary responses
could be especially valuable to advertisers because
they could reveal unfiltered user preferences ripe
for impactful behavioral advertising. The tracking
of involuntary responses makes user transparency
and control especially difficult because it is often
happening without user awareness. The current
widespread model of companies’ terms of service
and privacy policies stating information such as:
“we will be collecting data from this device and
software to understand more about you,” would
well miss the mark of providing transparency to us-
ers. Organizations engaged in tracking involuntary
brain signals and other biometric or physiological
measurements from users might rethink current
consent protocols, as well as transparency and ex-
plainability models, for providing both an accurate
and clearly understood snapshot of what data is
being collected from users and for what purposes.
2. Neuromarketing is Potentially Governed
by Comprehensive Privacy Laws, FTC
Enforcement Authority, and Neuromarketing-
Specific Codes of Ethics
State laws such as the CPRA provide a number
of rights to consumers, including rights of access,
information, deletion, portability, and right to opt
out of “selling” personal information, while placing
new obligations on businesses. Personal neuro-
data is not specifically mentioned in the law, but
such information could be classified as “biometric
information”—covered and broadly defined under
CPRA. The CPRA offers a specific opt out of
“cross contextual behavioral advertising” (aka
advertising targeted to an individual based on
their behavior online).
In addition to comprehensive privacy laws, the Fed-
eral Trade Commission (FTC) has authority to inves-
tigate, under Section 6 of the FTC Act, and authority
to enforce penalties on the basis of deceptive and
unfair trade practices—including those related to
advertising—under Section 5 of the Act.185
Other than laws and agency enforcement, volun-
tary self-regulatory initiatives could also inform this
space. The Neuromarketing Science & Business
Association’s (NMSBA’s) Code of Ethics enshrines
commitments around integrity; consent (including
requiring informed consent from parents when
studies involve children); transparency; and pri-
vacy.186 These ethics codes could act as tools to
educate and guide organizations wading into this
emerging and unique sector of advertising. Addi-
tionally, the United Nations Convention on Rights
of the Child has called for the specific prohibition
of certain forms of advertising to children, including
neuromarketing, signaling that some policymakers
view neuromarketing as creating heightened risks
for vulnerable populations, such as children.187
G. Military BCIs include Restorative
Devices, Communications Tools,
Vehicle and Weapon Control,
Deception Detection, and More
Today, military use of BCIs is largely non-invasive
and focused on the creation of restorative devices
for injured service members.188 However, the U.S.
and China have explored the viability of BCIs as
next-generation weaponry. In the U.S., Defense
Advanced Research Projects Agency (DARPA) re-
cently announced $104 million in funding to support
its Next-Generation Nonsurgical Neurotechnology
(N3) program, which provides funding for research-
ers to develop high-performance brain-computer
interfaces for military service members.189 These
devices are intended to be non-invasive, allowing
“super-warriors” to control drones and other vehi-
cles with their brain signals during complex military
operations.190 Other military research includes BCIs
for communication between military personnel,
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 25
such as Silent Talk, in which personnel communi-
cate via neural signals without the need for verbal
speech or gestures.191
Much of the research in the military space is in-
formed by breakthroughs from other sectors. No-
tably, DARPA recently awarded a number of grants
to BCI researchers,192 including a project from the
University at Buffalo in which neurodata is collect-
ed from videogamers during gameplay in hopes of
using this data to train future advanced AI robots
for military use.193 The military has expanded its re-
search into deception detection using BCIs, taking
a page from law enforcement and other defense
offices’ use of polygraph research.194
Innovations in invasive BCIs in the civilian arena
adopted for military use could lead to massive
breakthroughs with implications for both modern
warfare and society at large. For instance, DARPA’s
Restoring Active Memory (RAM) program aims to
help with memory recall and formation for service
members suffering brain injury through the use of an
invasive BCI.195 RAM involves similar technology and
methods as invasive BCIs that have proved effective
for stroke, Alzheimer’s, and head injury patients.196
1. Risks Associated with Military BCIs Include
Hacking, Reduction in Battlefield Teamwork,
and Physical and Mental Harm
Use of BCIs on the battlefield leads to risks such as
disruption of service or interception of signals by
adversaries.197 Like other technologies deployed
by the government and military, BCIs could become
the latest system that could be compromised by
hackers. BCIs that collect and record brain signals
could open the door for enemies to gain access to
communications, strategy, and secrets. More trou-
bling is the possibility of hackers gaining control
over modulating BCIs and physically and mentally
harming military personnel.
Additional risks relate to an erosion of teamwork
and comradery between soldiers on the battlefield
and in training when using BCIs for communica-
tion.198 While it is possible that communication
between soldiers using BCIs could increase bond-
ing and trust, encouraging soldiers connecting to
one another through a new and currently limited
technology could also erode cohesion, comradery,
and a group dynamic important for encouraging
cooperation between military personnel.
Other concerns are more future-facing. While
BCIs are not currently being deployed for torture
or pacification, developers in his space would be
wise to consider the ethical implications of using
BCIs for these purposes. Controversy and ethical
concerns around the military’s use of torture have
existed for decades, and BCIs could offer another
avenue for a military organization to engage in
these activities. Additionally, weapons that target
neurodata and nervous systems may proliferate,
such as uncharacterized directional phenomena
in the form of vibration, pressure, and sound such
as those experienced by U.S. military personnel in
Havana, Cuba.199 Time will tell whether BCIs are
used for these purposes and whether they will be
more or less humane than current methods.
2. Some Military Use of BCIs is Governed by
Military Ethics, International Treaties, and U.S.
Constitutional Law
While BCIs in the military are still nascent, there
are existing military ethics guidelines200—and
international treaties such as the Geneva Conven-
tion201—that could prohibit future use of invasive
BCIs on subjects without consent.202 However, it
is important to note that to our knowledge, today
there are no military regulations limiting the use of
non-invasive transcranial stimulation in particular
for torture, pacification, or interrogation.203
Military BCIs might also be governed by U.S. consti-
tutional law depending on their use. BCIs used for
purposes such as deception detection could violate
the Fifth Amendment’s “guarantee against self-in-
crimination” because collecting a soldier’s thoughts
might not constitute a permissible physical piece of
evidence.204 Moreover, BCIs used for this purpose
could run up against the Fourth Amendment as
an unreasonable search and seizure.205 However,
others argue that Fourth and Fifth Amendment pro-
tections might not apply to neurodata collected by
BCIs because of a history of real-time collection of
medical data being admissible as evidence in the
court of law and the third-party-doctrine resulting
in users forfeiting their expectation of privacy over
data shared with a company.206 Various interna-
tional treaties might also govern BCIs used for
interrogation. If it is determined that a BCI is used
in conjunction with a “toxic chemical”—defined as
a chemical that can cause “temporary incapaci-
tation”—this could be in violation of the Chemical
Weapons Convention (CWC).207
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 26
Responsible use of BCIs and associated neuro-
data is paramount in the health and wellness
area, as well as the consumer and military
contexts. A diverse and inclusive list of interna-
tional stakeholders spanning end-users, directly
and indirectly impacted communities, interested or
invested industries and marketplaces, academia,
and governments, and others must commit to
articulate a vision for how technology, law, and
policy can shape these services in a way that is
beneficial to all with sufficient privacy protections.
The challenges in meeting this goal are significant.
While BCIs have shown demonstrable benefits for
healthcare for a number of years, the technology—
especially in the consumer market—is in its infancy.
With a scant number of exceptions—most notably
BBI technology—breakthroughs in health services
have informed BCI use in the consumer market.
Open questions emerge around how moving this
technology into the consumer space evolves the
privacy and ethical risks seen today in the health
context. Moreover, because the uses of this tech-
nology are often especially future-facing—even as
compared to other emerging technologies—there is
no way to comprehensively and accurately predict
the specific risks that will emerge in the decades
to come. Allowing these technologies to evolve ab-
sent strong accountability and enforcement frame-
works will result in substantial risks. The guidelines,
frameworks, and regulations cited throughout this
work—including GDPR, CPRA, OECD Guidelines,
and the proposed EU AI framework—could serve
as a foundation for future rules governing BCIs. But
regulation must be cognizant of the need to provide
a structure for future technological advances and
uses, as well as new risks. Moreover, in addition
to laws, the proposition that existing human rights
conceptualizations need to be updated to reflect
these concerns is gaining momentum in some
neuroscience spaces—this is an idea around which
further discussion is warranted (see the call-out
box below on neurorights). The grand challenge
of promoting strong privacy protections for BCIs
will require a mix of technical and non-technical
solutions. While not comprehensive or definitive,
the following suggestions provide a starting point.
Part III: A Mix of Technical and Policy Solutions Can Mitigate Risks
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 27
Case Study: Neurorights in Chile
On October 25, 2021, the Chilean government approved a constitutional reform208 to protect “the
mental integrity of neurotechnologies.”209
Chile is also considering a neuroprotection bill,210 based on five fundamental human rights-based
principles: the right to personal identity, free will, mental privacy, equitable access to technologies
that augment human capacities, and the right to protection against bias and discrimination.211 The bill
would likely limit the use of neurotechnologies and associated neurodata to clinical and health re-
search and therapy, meaning that many of the consumer-focused use cases described in this report
would likely be prohibited. The bill also provides a number of noteworthy rights and requirements
including: obtaining express, opt-in consent from the user when engaging with neurotechnology;
providing notice of possible physical, cognitive, or emotional effects of the treatment; retaining neu-
rodata for only the time necessary to carry out the purpose for which the neurodata was collected;
and requiring the state to promote equitable access of neurotechnologies in the public interest.
Perhaps most noteworthy, the bill calls for the collection, storage, treatment, and dissemination
of neurodata to be treated as an organ under Chilean organ transplant law.212 This treatment of
data as an organ could create practical consequences, while significantly limiting both medical
and non-medical use of neurotechnologies and neurodata including: prohibiting the selling of
personal neurodata to neuromarketers and researchers; prohibiting the collection of neurodata
from patients 18-years-old and younger; and prohibiting patients from receiving neurotechnolo-
gy-related treatment who do not have full use of their mental faculties and do not have a positive
physical fitness report.
Philosopher Abel Wajnerman Paz argues that analogizing neurodata with organ transplants is not
a logical fit because neurodata, unlike an organ, contains no organic material, is produced by oth-
ers outside human bodies, and requires “elaborate construction by clinicians and researchers.”213
Dr. Paz provides an alternative avenue for regulating neurotechnologies suggesting instead regu-
lating neurodata as intellectual property. Dr. Paz argues that this could enable the data subject to
financially benefit from sharing their neurodata and may lead to creating large data repositories
needed for Parkinson’s and Alzheimer’s research.214
A. Technical Solutions Include: Providing
On/Off and App Controls to Users;
End-to-End Encryption of Neurodata,
Privacy Enhancing Technologies,
and More
1. Developers Should Provide On/Off Controls
Where Possible and Provide Granular Controls
on BCI Devices and Companion Apps
The notion of on/off controls for tracking technol-
ogies as a form of privacy protection is not new;
however, the need for some BCIs to be “always
on,” or on for extended periods, especially in the
health context, complicates the debate around
such devices. In the consumer context, an “always
on” default is typically not essential for the device
to function properly. In these cases users should
have a clear and definite way to control when BCIs
are on or off with a hard on/off switch on the de-
vice, or through on/off controls readily accessible
through a companion app. As with other devices,
there are considerable privacy risks when a BCI is
always gathering data or when it can be turned on
unintentionally, collecting data without the user’s
knowledge.215 These risks are magnified when
BCIs record personal neurodata that could be
combined with other information overtime to draw
vast and sensitive inferences about the personal
lives of users.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 28
In addition to on/off controls, BCI companies
developing and deploying BCIs should provide
granular controls to users for managing their neu-
rodata, and other associated personal information.
Many consumer BCI devices rely on companion
mobile apps, which should provide user controls.
While companies and device manufacturers ulti-
mately have the best understanding and expertise
regarding what data is necessary to operate BCIs,
user controls are crucial safeguards to ensure that
individuals can manage data collection, deletion,
use, and sharing.
2. Developers Should Utilize Best Practices for
Privacy and Security to Store and Process
Neurodata and Use Privacy Enhancing
Technologies Where Appropriate
Regardless of whether neurodata is stored and
processed on a BCI device, by a companion app,
or on a server operated by the BCI provider, de-
velopers should seek to maximize privacy and
security. Developers should rely on storage and
computing services that can meet appropriate se-
curity standards commensurate with the sensitivity
of the neurodata. Developers should also look to
privacy enhancing technologies as a way of max-
imizing the utility of neurodata, while minimizing
privacy risks. Techniques could include differential
privacy, in accordance with principles of data mini-
mization and privacy by design. When appropriate,
they should use de-identification methods like Pri-
vacy Preserving Data Mining (PPDM) and Privacy
Preserving Data Publishing (PPDP) for stored and
shared data.216 Additionally, developers should
ensure sensitive personal neurodata is encrypt-
ed when in transit and at rest. These techniques
could be especially useful in the BCI space, as the
neurodata collected by BCIs could be ripe for data
driven research in the medical field. These tech-
niques are often promoted as a way to maximize
the utility of data for research, while minimizing
user identifiability.
Researchers should also stay abreast and im-
plement appropriate security safeguards. Poor
cybersecurity can leave systems vulnerable to
hacking, data breaches, and other malicious ac-
tivities, endangering user safety. Device hacking
is especially dangerous as many BCIs are used
for critical health management regimens. Not only
could a bad actor access personal neurodata and
other collected personal information, but more
alarmingly control how a device modulates, or fails
to modulate, a patient’s brain, resulting in physical
or psychological harm. Given how quickly the
technology, capabilities, and threats in this space
are evolving, cybersecurity professionals should
take time to consider appropriate, practical, and
tailored solutions. A good starting place could be
the National Institute of Standards and Technolo-
gy (NIST) Cybersecurity Framework—a dynamic
resource consisting of standards, guidelines, and
best practices built to adapt to a particular technol-
ogy, use case, and context.217
B. Policy Solutions Include: Rethinking
Transparency and Control; IRBs and
Ethical Review Boards; Multi-Stakeholder
Engagement; and Standards Setting and
Other Agreements.
1. Given the Novelty of BCIs, Along with the
Complexity of Recording and Modulating
Neurodata, Organizations should Rethink
Traditional Transparency and Control Models
The novelty and complexity of BCIs warrants an
emphasis on transparency and control beyond
most other emerging technologies. Transparency
and control frameworks might have to be re-
thought in the neurotechnology field. Consumer,
government, and health-focused BCIs can vary sig-
nificantly in their technological capabilities, sophis-
tication, machine learning techniques, purposes,
and user-bases, often presenting differing privacy
risks. These differences often warrant different
levels and methods of transparency necessary
for consumers, patients, and lawmakers to under-
stand device capabilities, data flows, data storage,
and who controls and has access to the data, while
encouraging informed consent. For example, a
non-invasive EEG-based device that only records
neurodata along with an individual’s eye move-
ments, muscle movements, and heartbeat—does
not have the same risks as a health device that
records and modulates a patient’s brain using an
invasive BCI. Despite these significant differences,
BCIs as a whole are often incorrectly framed and
lumped together by the popular media as “mind
reading technologies from the future” that can
capture and understand the innermost thoughts
and workings of the human mind.
Developers and regulators should think creatively
about how to promote the transparency necessary
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 29
for meaningful user control. Privacy policies, terms
of service, and other similar documents, while
required by law, are often not effective means of
providing transparency on their own. Even when
these privacy policies are accurate in describing
consumer rights and data governance, they might
still lack transparency in that they are difficult to
understand, vague, and fail to show the complete
picture of what is happening with consumer data. In
the absence of strong enforcement and without a
commitment to trust, transparency, and explainabil-
ity, privacy policies are likely neither agile enough
to keep pace with quickly evolving technology nor
adequately accessible to end-users.
Furthermore, although there are attempts to make
user controls more flexible, more research is need-
ed on how to best enable user control in ways that
are more fluid, nuanced, and longitudinal. BCIs that
operate in conjunction with companion apps could
provide pop-up notice with the option for users to
access more detailed information in a layered ap-
proach before consenting to device recording or
modulating or other terms. BCI developers might
want to also consider using audio and visual cues
understandable to users, indicating when a device
is recording or modulating. In the future, develop-
ers might take advantage of this particular technol-
ogy by sending a particular signal to a user’s brain
indicating some sort of activity. In this scenario, the
user can respond to this signal with a particular
thought pattern providing or denying consent.
2. When Appropriate, BCI Providers Should
Engage IRBs or Independent Review Boards,
as well as Multi-Stakeholder Engagement
Before and During Roll Out of New BCI
Products or Services
In some circumstances, BCI providers might be
required to complete IRB review before gathering
primary research data from human subjects or
pre-registering clinical trials. Organizations may
need to obtain proper approval from bodies like
the FDA prior to rolling out new BCI products and
services. However, BCIs in the consumer market
are not typically subject to these same require-
ments. One option for consumer-focused BCI
organizations seeking to promote strong privacy
protections would be committing to an indepen-
dent review board to consider questions around
neurodata collection, use, sharing, storage, and
other related concerns. A number of prominent
AI researchers and developers have crafted prin-
ciples and approaches to AI and ML.218 Because
BCIs often involve the use of AI and ML, many of
these AI principles will inform BCI development.
However, AI frameworks do not contemplate all of
the major challenges around recording or modu-
lating a user’s brain. As BCIs become more wide-
spread, providers should consider creating internal
BCI-specific principles for informing their internal
design, policy, and technical decisions. Review
boards could also determine whether BCI-related
data should be used for research where obtaining
prior user consent is impractical.
Organizations should also facilitate multi-stake-
holder engagement throughout the development
and deployment lifecycle of BCIs. Stakeholder
outreach should include researchers, policy pro-
fessionals, early adopters of the technology, and
those who either have yet to adopt the technology
but might do so in the future or may be impacted
due to the use of technology by others. The latter
group should include those who are often not
given a seat at the table when developers make
ethical decisions about emerging technology.
This should include individuals from vulnerable
populations, such as the disability community, in-
dividuals from historically surveilled communities,
and individuals from geolocations most exposed
to digital inequity, among others. The conversation
with all stakeholders, and perhaps most crucially
with vulnerable populations, should be co-partici-
patory and co-created from the start, meaning that
providers should not only inform these populations
about the technology, but absorb community feed-
back and integrate this feedback into internal de-
cision making. Providers should be sure to present
these changes and their internal design and de-
cision-making process back to these stakeholders
to help continue facilitating an ongoing and col-
laborative conversation. Further, providers should
be engaging these stakeholders from the start of
product development, research, and rollout. Pro-
viders should avoid premature decisions prior to
community engagement, and should be willing to
change course, heavily alter, or altogether scrap a
project if it runs counter to a particular communi-
ties’ preferences or could foreseeably cause harm.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 30
3. Companies, Research Institutions, and
Policymakers Should Set Policy and Technical
Standards for BCI Research, Development,
and Use that are Capable of Adapting as the
Technology, User Base, and Uses Evolve
Because of the fast-moving nature of this technol-
ogy, industry, research institutions, and policymak-
ers should draft and subscribe to standards, best
practices, and pragmatic regulations. As indicated
in this report, a number of laws, best practices,
and enforcement bodies can serve as founda-
tions for neurotechnology-specific standards and
frameworks. If and where possible, technical and
governance communities should leverage existing
policies, practices, and bodies pertaining to relat-
ed technologies to govern BCIs, as well as identify
places where existing frameworks or processes do
not sufficiently address novel risks.
The latter point is particularly pertinent, since a
number of notable privacy challenges are not
addressed by current rules. Many of the existing
comprehensive, and sectoral, privacy laws, includ-
ing GDPR, BIPA, and CPRA, carve out de-identified
data. Yet there is still no legal consensus on which
types of neurodata can or will be interpreted as
biometric data, and in the event that it is, research
has shown that biometric data is more difficult
to effectively de-identify.219 Another major gap
in current regulation relates to what immersive
technology expert Brittan Heller refers to as
“biometric psychography,” which describes com-
bining collected biometric data with information
about stimuli encountered by the user to produce
inferences about the user’s likes, dislikes, sexual
attraction, fears, and other psychology.220 It might
be necessary to rethink and broaden concepts
and associated definitions of biometrics to be
more inclusive—and therefore more predictive
of—downstream emerging properties of neuro-
data, including psychographical characteristics.
To protect against privacy and responsible gover-
nance risks related to these and other BCI-related
challenges, stakeholders should develop technical
and policy standards for responsible develop-
ment and use of BCIs capable of adapting as the
technology, user base, and use evolves. Technical
standards should promote privacy protective
techniques, including privacy enhancing technol-
ogies; data quality thresholds; testing standards
to ensure that AI and ML techniques are accurate,
interpretable, and explainable; among several oth-
er elements. Policy standards should include stan-
dards related to privacy by design, user profiling,
purpose limitations, data minimization, contractual
agreements between BCI manufacturers and third
parties related to de-identification, data sharing,
and retention, among other concerns.
Alongside technical and policy standards, industry
and regulators should promote up-to-date training
for developers around processes such as data han-
dling and de-identification learned from academia.
For example, depending on the magnet strength,
some fMRI images are capable of reconstructing
an individual’s face.221 It is common practice in the
academic neuroimaging sector to remove the first
few slices or images of a file before uploading to
a database to prevent identification through 3D
reconstruction of a participant’s face. But this is not
common practice across all organizations who col-
lect or share these kinds of images, particularly in
open-source communities. In addition, stakehold-
ers should consider a policy-driven call to action
for the development of tech-driven safeguards to
test for these kinds of errors and flag them, remove
them, or fix them.
4. BCI Stakeholders Should Encourage the
Adoption of Open Standards for Neurodata
and Share De-Identified Research Data Under
Open Licenses to Promote an Open and
Inclusive Research Ecosystem
The development of neurotechnologies presents
significant barriers to entry, as BCIs often require
significant capital investment and highly special-
ized skill sets that would likely be inaccessible to
all but a select few of companies and organiza-
tions. This creates an environment in which lead-
ing neurotechnology organizations could create
proprietary standards, fragmenting the neurotech-
nology research ecosystem. This would prevent
many in industry and academia from: accessing
the best and most cost-effective tools available,
sharing their knowledge, and incorporating di-
verse perspectives to advance innovation in the
field. To minimize such barriers to an open and in-
clusive research ecosystem, companies and other
stakeholders should support the development and
widespread adoption of open standards for neu-
rodata. Stakeholders may also consider whether
open-licensing of properly de-identified and con-
sented neurotechnology and neurodata research
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 31
datasets is feasible and appropriate—while this
has the potential to maximize data accessibility by
trusted researchers.
5. Policymakers Should Review the Adequacy of
Existing Policy Frameworks for Governing the
Unique Risks of Neurotechnologies
As established by this report, neurotechnologies
can pose both familiar and novel risks. For familiar
risks, such as vulnerability to hacking, the need
to protect sensitive data, or the collection of data
from minors, existing policy frameworks likely
apply just as effectively to neurotechnologies as
they do to consumer and medical technologies
available today. However, the unique risks posed
by neurotechnologies, such as the potential ero-
sion of mental privacy or even more challenging
concerns such as the implications for free will and
human agency, highlight the possibility that exist-
ing policy frameworks may be insufficient to ad-
equately protect people from harm. Furthermore,
as neurotechnologies mature and become more
commonplace, new applications unimaginable to-
day will pose a host of new, unforeseen risks and
benefits that today’s policy frameworks were not
designed to address.
Policymakers and other BCI stakeholders should
carefully evaluate how existing policy frameworks
apply to neurotechnologies and identify potential
areas where existing laws and regulations may be
insufficient for the unique risks of neurotechnolo-
gies. Importantly, policymakers should prioritize a
focus on well-defined risks, while tracking devel-
opments that can raise future concerns. Future ad-
vances may create unexpected problems, but may
also be mitigated by other factors in the future such
as yet-to-be-developed technological safeguards
or changing societal norms. Potential decisions to
ban particular high-risk uses of neurotechnology
should similarly be discussed and considered
in depth among experts prior to such decisions.
Regardless, it is critical that policymakers are well
educated about the risks neurotechnologies can
pose and potential solutions to these risks so that
they can swiftly and effectively implement these
solutions when appropriate.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 32
CONCLUSION
As BCIs evolve and are more commercially
available across numerous sectors, it is
paramount to understand the unique risks
such technologies pose. It is just as important to
understand how these technologies work and
what data is necessary for them to function. Pri-
vacy and data governance risks can be minimized
through broad adoption of both technical and
policy recommendations that can make BCI data
less identifiable, less potentially harmful, and more
secure. Because the field of neurotechnology is
especially future-facing, developers, researchers,
and policymakers will have to create best practices
and policies that consider existing risks and strate-
gically prioritize future risks in ways that balance
the need for proactive solutions while mitigating
misinformation and hype; deciding which of the
technical, social, or policy issues outlined in this
report to prioritize first remains an open but vitally
important area for discussion and concrete action.
BCIs will also likely augment and be combined
with many existing technologies that are current-
ly on the market. This means that new technical
and ethical issues are likely to arise and existing
issues could be compounded with one another. In
the near future, BCI providers, neuroscience and
neuroethics experts, policymakers, and societal
stakeholders will need to come together to con-
sider what constitutes high-risk use in the field and
make informed decisions around whether certain
BCI applications should be prohibited, a position
around which more robust and critical discussion is
needed. Finally and perhaps more fundamentally,
it is also possible that the future of privacy itself
and our notions of what it means to have or obtain
privacy at basic human or societal levels could be
challenged in ways that we cannot currently com-
prehend or anticipate. We hope this report and our
ongoing work helps support the technical, legal,
and policy developments that will be required to
ensure the advances in this sector are implement-
ed in ways that benefit society.
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 33
ENDNOTES
1. Concepts such as mental privacy, human agency, and fairness are complicated, contextually-dependent, and culturally-influenced.
Likewise, terms used throughout this report—such as conscious, unconscious, subconscious, or intentional—have diverging meanings for
neuro-scholars, legal experts, and the general public. We do not have the space in this report to dive deeper into these notions; however,
it is important to acknowledge their nuance up-front, and we recommend that conversations around these topics and efforts at better
standardizing the language used in this space is warranted and should be prioritized.
2. Although the definition of neurodata is the same for humans and animals, the focus of this report is neurodata coming from human nervous
systems. There are also two points worth mentioning for the sake of clarity. First, while the majority of neurodata is currently related to
neurons (their electrical, hemodynamic, and chemical activity, their anatomical components, their connections, etc.), there already exists
neurotechnology which targets glia—helper cells of the nervous system—to change perception and health. While this report is focused on
neuronal neurodata, It is widely believed that these sorts of non-neuronal applications will continue to grow in the future, and thus what
is included in the concept of neurodata is likely to expand and change in parallel. Second and related, it is a scientific fact that any human
behavior can be traced back to neurodata; for the purposes of this report, we constrain the focus to primary neurodata and first order proxies
of neurodata, but it is important to acknowledge that second-order or downstream behaviors and associated analyses of these behavioral
data may also be seen as extensions of neurodata by some neuroscientists, neurotechnicians, and neuroethicists in the field.
3. While often connected to the Internet, some BCIs, including those that rely on implantable pulse generator technology (IPG) use
radiofrequency, rather than internet technologies such as WiFi or Bluetooth for communication and control.
4. See Andrea M. Matwyshyn, The Internet of Bodies, 61 Wm. & Mary L. Rev. 77 (2019), available at https://scholarship.law.wm.edu/wmlr/vol61/iss1/3/.
5. See Marcello Ienca & Gianclaudio Malgieri, Mental Data Protection and the GDPR, 4 (May 5, 2021), available at https://papers.ssrn.com/sol3/
papers.cfm?abstract_id=3840403, coining the term: “digital mind” to describe the “moment-by-moment quantification of the individual-level
human mind using data from neural interfaces and other digital technology—and a more intimate connection between minds and machines.”
6. The Institute of Electrical and Electronics Engineers, Inc., Standards Roadmap: Neurotechnologies for Machine Interfacing, (2020), https://
standards.ieee.org/content/dam/ieee-standards/standards/web/documents/presentations/ieee-neurotech-for-bmi-standards-roadmap .
7. There is no currently agreed-upon definition of technological maturity within the neurotech community or a mappable timeline to reasonably expect
translation of neuroscience research into direct-to-consumer products. Therefore, concepts such as “near-term” or “far-term” are not well delineated
and may change depending on the marketplace. Moreover, given that there are multiple technologies emerging or evolving simultaneously, it is
unknown what (if anything) will change and propel the field forward faster than imaging. This is particularly true where technologies intersect (e.g.
artificial intelligence + neurotech or quantum computing + neurotech). While it is necessary to dampen hype and misinformation around the field
as this can create unrealistic expectations or unwarranted fears, it would be unwise to not plan for more advanced capabilities whenever, or if ever,
they arise. Research on predicting the trajectory of BCI’s and other neurotechnological capabilities would be particularly useful for aiding in planning
and prioritizing issues while still remaining vigilant towards potential future or unknown down-stream consequences.
8. Bidirectional BCIs are systems that translate neural signals recorded from various areas of the brain into certain actions or sensations and
perceptions (for example, using motor cortex signals to create motor commands). In addition to bi-directional BCIs, BCIs can also be closed
loop—meaning that the device senses the effect of the modulation and then alters this modulation based on the observed effect. Closed
loop BCIs are often used to treat movement disorders like Parkinson’s Disease or sensorimotor impairments caused by spinal cord injury. See
Patrick D. Ganzer et al., Restoring the Sense of Touch Using a Sensorimotor Demultiplexing Neural Interface, Cell (Apr. 23, 2020), available
at https://www.cell.com/cell/fulltext/S0092-8674(20)30347-0.
9. Simon Little et al., Adaptive Deep Brain Stimulation in Advanced Parkinson Disease, Annals of Neurology (Jul. 12, 2013), available at https://
onlinelibrary.wiley.com/doi/full/10.1002/ana.23951; S. Andrew Josephson, A Novel Brain-Computer Interface Approach to Deep Brain
Stimulation for Parkinson’s Disease (2013), https://www.medscape.com/viewarticle/814726.
10. See SLUCare, After Sudden Hearing Loss, Cochlear Implant Returns Patient’s Quality of Life, (Sept. 24, 2019), https://www.youtube.com/
watch?v=Mb0wlYsq_UM; see also Ann Perreau, et al., Programming a Cochlear Implant for Tinnitus Suppression, Journal of the American
Academy of Audiology (Apr. 31, 2020), available at https://www.thieme-connect.de/products/ejournals/abstract/10.3766/jaaa.18086.
11. James Wu & Rajesh P. N. Rao, Melding Mind and Machine: How Close Are We?, Smithsonian Magazine (Apr. 11, 2017), https://www.
smithsonianmag.com/innovation/melding-mind-and-machine-how-close-are-we-180962857/.
12. Intro to Brain Computer Interface, NeurotechEDU, (last accessed Jun. 17, 2021), http://learn.neurotechedu.com/introtobci/. There is widely
accepted definition of an invasive procedure, but researchers recently proposed a new definition, which defines an “invasive procedure” as one
where purposeful/deliberate access to the body is gained via an inclusion, percutaneous puncture, where instrumentation is used in addition to
the puncture needle, or instrumentation via a natural orifice. See Sian Cousins et al., What Is an Invasive Procedure? A Definition to Inform Study
Design, Evidence Synthesis, and Research Tracking, BMJ Open (Jul. 9, 2019), https://bmjopen.bmj.com/content/bmjopen/9/7/e028576.full .
13. Jeremiah D. Wander & Rajesh P. N. Rao, Brain-Computer Interfaces: A Powerful Tool for Scientific Inquiry, Current Opinion in Neurobiology
(2014) 25: 70–75.
14. See Angela Chen, Elon Musk’s Dreams of Merging AI and Brains Are Likely to Remain Just That–for at Least a Decade, The Verge (Apr. 21,
2017), https://www.theverge.com/2017/4/21/15370376/elon-musk-neuralink-brain-computer-ai-implant-neuroscience.
15. Intro to Brain Computer Interface, supra note 12.
16. Jane Wakefiled, Elon Musk’s Neuralink ‘Shows Monkey Playing Pong with Mind’, BBC (Apr. 9, 2021), https://www.bbc.com/news/
technology-56688812; See Neuralink, Monkey MindPong, YouTube (Apr. 8, 2021), https://www.youtube.com/watch?v=rsCul1sp4hQ.
17. John Koetsier, Elon Musk Wants to Put a ‘Fitbit In Your Skull’ to Summon Your Tesla, Forbes (Aug. 28, 2020), https://www.forbes.com/sites/
johnkoetsier/2020/08/28/elon-musk-wants-to-put-a-fitbit-in-your-skull-to-summon-your-tesla/?sh=6b74efb3586a; In addition to Neuralink,
several other companies are active in BCI development. See Cathy Hackl, Meet the 10 Companies Working On Reading Your Thoughts (And
Even Those of Your Pets), Forbes (Jun. 21, 2020), https://www.forbes.com/sites/cathyhackl/2020/06/21/meet-10-companies-working-on-
reading-your-thoughts-and-even-those-of-your-pets/?sh=23ed1f26427c.
18. Bryn Farnsworth, What is EEG (Electroencephalography) and How Does it Work?, iMotions Blog (Jul. 15, 2019), https://imotions.com/blog/what-is-eeg/.
19. See Murta Kulich, et al., Neurosensory Disorders in Mild Traumatic Brain Injury, 23-47, (Michael E. Hoffer & Carey D. Balaban ed., 2019).
https://scholarship.law.wm.edu/wmlr/vol61/iss1/3/
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3840403
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3840403
https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/presentations/ieee-neurotech-for-bmi-standards-roadmap
https://standards.ieee.org/content/dam/ieee-standards/standards/web/documents/presentations/ieee-neurotech-for-bmi-standards-roadmap
https://onlinelibrary.wiley.com/doi/full/10.1002/ana.23951
https://onlinelibrary.wiley.com/doi/full/10.1002/ana.23951
https://www.medscape.com/viewarticle/814726
https://www.thieme-connect.de/products/ejournals/abstract/10.3766/jaaa.18086
https://www.smithsonianmag.com/innovation/melding-mind-and-machine-how-close-are-we-180962857/
https://www.smithsonianmag.com/innovation/melding-mind-and-machine-how-close-are-we-180962857/
https://bmjopen.bmj.com/content/bmjopen/9/7/e028576.full
https://www.theverge.com/2017/4/21/15370376/elon-musk-neuralink-brain-computer-ai-implant-neuroscience
https://www.bbc.com/news/technology-56688812
https://www.bbc.com/news/technology-56688812
https://www.forbes.com/sites/johnkoetsier/2020/08/28/elon-musk-wants-to-put-a-fitbit-in-your-skull-to-summon-your-tesla/?sh=6b74efb3586a
https://www.forbes.com/sites/johnkoetsier/2020/08/28/elon-musk-wants-to-put-a-fitbit-in-your-skull-to-summon-your-tesla/?sh=6b74efb3586a
https://www.forbes.com/sites/cathyhackl/2020/06/21/meet-10-companies-working-on-reading-your-thoughts-and-even-those-of-your-pets/?sh=23ed1f26427c
https://www.forbes.com/sites/cathyhackl/2020/06/21/meet-10-companies-working-on-reading-your-thoughts-and-even-those-of-your-pets/?sh=23ed1f26427c
https://imotions.com/blog/what-is-eeg/
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 34
20. See Noman Naseer & Keum-Shik Hong, fNIRS-Based Brain-Computer Interfaces: A Review, 9:3 (Front Hum Neurosci) (2015), available at
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4309034/.
21. What is Transcranial Direct Current Stimulation?, Neuromodec, (last accessed May 16, 2021), https://neuromodec.com/what-is-transcranial-
direct-current-stimulation-tdcs/.
22. What is Transcranial Magnetic Stimulation (TMS)?, Neuromodec, (last accessed May 16, 2021), https://neuromodec.com/what-is-transcranial-
magnetic-stimulation-tms/.
23. See Nicola Riccardo Polizzotto et al., Is It Possible to Improve Working Memory with Prefrontal tDCS? Bridging Currents to Working
Memory Models, Front. Psycholo. (May 26, 2020), available at https://www.frontiersin.org/articles/10.3389/fpsyg.2020.00939/full; Can Brain
Stimulation Aid Memory and Brain Health?, Harvard Health Publishing (Aug. 6, 2015), https://www.health.harvard.edu/mind-and-mood/can-
brain-stimulation-aid-memory-and-brain-health, recognizing that more research is needed on the efficacy of brain stimulation for memory
retention and learning improvement.
24. Other methods used for non-invasive techniques to study the brain include: positron emission tomography (PET); functional magnetic
resonance imaging (fMRI); magnetic resonance tomography (MRT); magnetoencephalography (MEG); among many others.
25. Jerry J. Shih et al., Brain-Computer Interfaces in Medicine, 87(3) Mayo Clin Proc. 268-279 (Dec. 8, 2011), available at https://www.ncbi.nlm.nih.
gov/pmc/articles/PMC3497935/.
26. See Adi Robertson, I Tried the Wristband that Lets You Control Computers with Your Brain, The Verge (Jun. 6, 2018), https://www.theverge.
com/2018/6/6/17433516/ctrl-labs-brain-computer-interface-armband-hands-on-preview.
27. Electromyography (EMG), Brigham Health (last accessed May 16, 2021), https://www.brighamandwomens.org/neurology/neuromuscular-
diseases/electromyography.
28. Inside Facebook Reality Labs: The Next Era of Human-Computer Interaction, Tech@Facebook (Mar. 9, 2021), https://tech.fb.com/inside-
facebook-reality-labs-the-next-era-of-human-computer-interaction/.
29. This timeline is not intended to be a comprehensive list of neurotechnology breakthroughs, but rather a chronology of some foundational
moments in communication interfaces, BCIs, and related technology. While the BCI field is still emerging and innovating, this timeline shows that
research related to BCIs is part of a tradition of research related to electronic communication techniques and has been in the works for decades.
30. For more information about identifying individuals based on neurodata, see Russell A. Poldrack et al., Long-Term Neural and Physiological
Phenotyping of a Single Human, Nature Communications (Dec. 9, 2015), https://www.nature.com/articles/ncomms9885; Elise Hu, < Move
Objects with Your Mind? We’re Getting There, With the Help of an Armband, NPR (Jul. 16, 2019), https://www.npr.org/transcripts/717487081.
31. See Jason da Silva Castanheira et al., Brief Segments of Neurophysiological Activity Enable Individual Differentiation, Nature
Communications 12: 5713 (2021), available at https://www.nature.com/articles/s41467-021-25895-8 .
32. See e.g. Voices of VR, Podcast: #987: The Neuroscience of Neuromotor Interfaces + Privacy Implications with Facebook Reality Labs’
Thomas Reardon (Mar. 30, 2021), available at https://voicesofvr.com/987-the-neuroscience-of-neuromotor-interfaces-privacy-implications-
with-facebook-reality-labs-thomas-reardon-2/, suggesting that while identification based solely on an individual’s motor map is not being
done today, it is feasible given the uniqueness of motor maps.
33. Emily Gera, The Neuroscience of Mind-Control Gaming, Variety (Nov. 26, 2018), https://variety.com/2018/gaming/features/brain-computer-
interface-neurable-1203036143/.
34. Road Transport, SmartCap (last accessed May 16, 2021), http://www.smartcaptech.com/industries/transport/.
35. Brent J. Lance et al., Brain-Computer Interface Technologies in the Coming Decades, 100 Proceedings of the IEEE 1585-1599 (Mar. 1, 2012),
available at https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6162941.
36. A brain implant has been developed that uses AI to recognize brain activity related to speech and translate the activity into sentences.
See Jason Arunn Murugesu, Mind-Reading AI Turns Thoughts Into Words Using Brain Implant, New Scientist (Mar. 30, 2020), https://www.
newscientist.com/article/2238946-mind-reading-ai-turns-thoughts-into-words-using-a-brain-implant/; Facebook hopes to someday incorporate
similar technology into VR headsets, which, unlike brain implants, are non-invasive. See Daphne Leprince-Ringuet, Facebook’s Mind-Reading
Plans Just Took Another Step Forward, ZDNet (Apr. 1, 2020), https://www.zdnet.com/article/facebooks-mind-reading-plans-just-took-another-
step-forward/.
37. Alexandre Gonfalonieri, Consumer Brain-Computer Interface: Challenges & Opportunities, Medium (May 18, 2021), https://
alexandregonfalonieri.medium.com/consumer-brain-computer-interface-challenges-opportunities-e8204190d828.
38. Id., citing Mariam Hassib & Stefan Schneegass, Brain Computer Interfaces for Mobile Interaction: Opportunities and Challenges, MobileHCI’15,
August 24-27, available at https://www.medien.ifi.lmu.de/pubdb/publications/pub/hassib2015mobilehci/hassib2015mobilehci .
39. Intro to Brain Computer Interface, supra note 12.
40. IBM defines machine learning as “a branch of artificial intelligence and computer science which uses data and algorithms to imitate the way humans
learn, gradually improving its accuracy,” IBM Cloud Education, Machine Learning (Jul. 15, 2020), https://www.ibm.com/cloud/learn/machine-learning.
41. We recognize that the neuroscience research sector is already and will continue to be greatly impacted by these kinds of neurotechnologies,
as more accessible BCIs will change who can perform what research and at what scale. For example, the company Kernal is making EEGs
more affordable and offering neuroscience studies as a service; see Ashlee Vance, Can a $110 Million Helmet Unlock the Secrets of the
Mind?, Bloomberg Businessweek (Jun. 16, 2021), https://www.bloomberg.com/news/features/2021-06-16/braintree-founder-s-helmet-size-
hospital-aims-to-mine-mind-data. However, the focus in this report is primarily commercial or private sectors, and thus we have excluded
basic research as a section in this report.
42. See Ellen Wright Clayton et al., The Law of Genetic Privacy: Applications, Implications, and Limitations, Journal of Law and the Biosciences,
(Oct. 2019) 6(1), available at https://academic.oup.com/jlb/article/6/1/1/5489401.
43. See Biometric Information Privacy Act (BIPA), 740 ILCS 14/1 (2008), available at https://www.ilga.gov/legislation/ilcs/ilcs3.
asp?ActID=3004&ChapterID=57; see also California Privacy Rights Act (CPRA) of 2020 (2020), available at https://www.caprivacy.org/
annotated-cpra-text-with-ccpa-changes/
44. OECD Recommendation on Responsible Innovation in Neurotechnology (Dec. 11, 2019), available at https://www.oecd.org/science/
recommendation-on-responsible-innovation-in-neurotechnology.htm.
45. Implanted Brain-Computer Interface (BCI) Devices for Patients with Paralysis or Amputation – Non-Clinical Testing and Clinical Considerations,
FDA (May 2021), available at https://www.fda.gov/regulatory-information/search-fda-guidance-documents/implanted-brain-computer-
interface-bci-devices-patients-paralysis-or-amputation-non-clinical-testing.
https://www.frontiersin.org/articles/10.3389/fpsyg.2020.00939/full
https://www.health.harvard.edu/mind-and-mood/can-brain-stimulation-aid-memory-and-brain-health
https://www.health.harvard.edu/mind-and-mood/can-brain-stimulation-aid-memory-and-brain-health
https://www.nature.com/articles/ncomms9885
http://www.smartcaptech.com/industries/transport/
https://www.newscientist.com/article/2238946-mind-reading-ai-turns-thoughts-into-words-using-a-brain-implant/
https://www.newscientist.com/article/2238946-mind-reading-ai-turns-thoughts-into-words-using-a-brain-implant/
https://www.zdnet.com/article/facebooks-mind-reading-plans-just-took-another-step-forward/
https://www.zdnet.com/article/facebooks-mind-reading-plans-just-took-another-step-forward/
https://www.bloomberg.com/news/features/2021-06-16/braintree-founder-s-helmet-size-hospital-aims-to-mine-mind-data
https://www.bloomberg.com/news/features/2021-06-16/braintree-founder-s-helmet-size-hospital-aims-to-mine-mind-data
https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004&ChapterID=57
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 35
46. Notably, Article 8 of the European Convention on Human Rights; Articles 7 and 8 of the EU Charter of Fundamental Rights. Many Constitutions
in Latin American countries also recognize the right to respect for private life and confidentiality, and sometimes an individual, separate right to
protection of personal data. See also below our Case Study on Chile and specific neurorights elevated recently at constitutional level.
47. The concept of “personality rights” is generally used to denote the bundle of rights aimed at the protection of the integrity and inviolability of
the individual, and it usually encompasses the right to private life, to one’s own image, to respect of a person’s name, to the inviolability of a
person’s body, to reputation etc. See Giorgio Resta The new frontier of personality rights and the problem of commodification: European and
comparative perspectives (2011), Tulane European and Civil Law Forum, Vol. 26, p. 33–65.
48. Proposal for a Regulation Laying Down Harmonised Rules on Artificial Intelligence, European Commission (Apr. 2021), available at https://
digital-strategy.ec.europa.eu/en/library/proposal-regulation-laying-down-harmonised-rules-artificial-intelligence.
49. CPRA, supra note 43.
50. General Data Protection Regulation (EU) 2016/679, (2016), available at https://gdpr-info.eu/.
51. See e.g. Karen S. Rommelfanger et al., Neuroethics Questions to Guide Ethical Research in the International Brain Initiatives, 100: 19-36
Neuron (Oct. 2018), available at https://www.sciencedirect.com/science/article/pii/S0896627318308237.
52. See Xiaotong Fu, et al., EEG-Based Brain-Computer Interfaces (BCIs): A Survey of Recent Studies on Signal Sensing Technologies and
Computational Intelligence Approaches and Their Applications, IEEE/ACM Transactions on Computational Biology and Bioinformatics (Dec.
2020), available at https://www.researchgate.net/publication/347966443_EEG-based_Brain-Computer_Interfaces_BCIs_A_Survey_of_
Recent_Studies_on_Signal_Sensing_Technologies_and_Computational_Intelligence_Approaches_and_their_Applications.
53. Emilia Mikołajewski & Dariusz Mikołajewski, Non-invasive EEG-based Brain-computer Interfaces in Patients With Disorders of Consciousness,
Military Medical Research (2014) 1(14), available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4459059/.
54. Masaki Nakanishi et al., Detecting Glaucoma with a Portable Brain-Computer Interface for Objective Assessment of Visual Function Loss,
JAMA Ophthalmology (2017), 135(6): 550-557, available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5772598/.
55. L. Huang & G. van Luijtelaar, Brain Computer Interface for Epilepsy Treatment, IntechOpen (Jun. 5, 2013), available at https://www.
semanticscholar.org/paper/Brain-Computer-Interface-for-Epilepsy-Treatment-Huang-Luijtelaar/8bdb7cc1897ce0b109d14b61567635b567f681cf.
56. Russ Juskalian, A New Implant for Blind People Jacks Directly Into the Brain, MIT Technology Review (Feb. 6, 2020), https://www.
technologyreview.com/s/615148/a-new-implant-for-blind-people-jacks-directly-into-the-brain/.
57. See e.g., Frost & Sullivan, Brain-Computer Interface Hold a Promising Future, Alliance of Advanced Biomedical Engineering (2017), https://
aabme.asme.org/posts/brain-computer-interface-the-most-investigated-areas-in-health-care-hold-a-promising-future.
58. Duncan Graham-Rowe, Wheelchair Makes the Most of Brain Control, MIT Technology Review (Sept. 13, 2010), https://www.technologyreview.
com/s/420756/wheelchair-makes-the-most-of-brain-control/.
59. The Brain Powered Wheelchair, Enabled.in (2014), https://enabled.in/wp/brain-powered-wheelchair/.
60. Brian Implants Enable Man to Simultaneously Control Two Prosthetic Limbs with ‘Thoughts’, Neuroscience News (Dec. 12, 2020), https://
neurosciencenews.com/bci-prosthetic-limb-movement-17423/.
61. Id.
62. See Mathis Fluery et al., A Survey on the Use of Haptic Feedback for Brain-Computer Interfaces and Neurofeedback, Front. in Neurosci.
(Jun. 23, 2020), available at https://www.frontiersin.org/articles/10.3389/fnins.2020.00528/full.
63. See Xiang Zhang et al, Internet of Things Meets Brain-Computer Interface: A Unified Deep Learning Framework for Enabling Human-Thing
Cognitive Interactivity, IEEE Internet of Things Journal, 6:2, 2084-2092 (Oct 2018), available at https://ieeexplore.ieee.org/document/8506382;
see e.g. Neal Ungerleider, This Life-Changing Philips Hue Hack Makes the Internet of Everything Mean Something, Fast Company (Aug. 6, 2014),
https://www.fastcompany.com/3034044/this-life-changing-philips-hue-hack-makes-the-internet-of-everything-mean-something.
64. See Iris Coates McCall et al., Owning Ethical Innovation: Claims about Commercial Wearable Brain Technologies, Neuron (Mar. 2019), 102(4)
728-731, available at https://www.cell.com/neuron/fulltext/S0896-6273(19)30289-2.
65. Neurosky Store (last accessed May 16, 2021), https://store.neurosky.com/.
66. Id.
67. Id.
68. Id.
69. Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott’s (formerly St. Jude Medical’s) Implantable Cardiac
Pacemakers: FDA Safety Communication, iData Research (Jan. 9, 2017), https://idataresearch.com/firmware-update-address-cybersecurity-
vulnerabilities-identified-abbotts-formerly-st-jude-medicals-implantable-cardiac-pacemakers-fda-safety-communication/.
70. Ms. Smith, Hacking Pacemakers, Insulin Pumps and Patients’ Vital Signs in Real Time, CSO (Aug. 12, 2018), https://www.csoonline.com/
article/3296633/hacking-pacemakers-insulin-pumps-and-patients-vital-signs-in-real-time.html.
71. Jeffrey Tully et al., Connected Medical Technology and Cybersecurity Informed Consent: A New Paradigm, 22(3) J Med Internet Res (2020),
available at https://www.jmir.org/2020/3/e17612/.
72. Xiao Zhang et al., Tiny Noise Can Make an EEG-Based Brain-Computer Interface Speller Output Anything, arxiv (Jul 16, 2020), available at
https://arxiv.org/abs/2001.11569.
73. Walter Glannon, Ethical Issues With Brain-Computer Interfaces, Front. Syst. Neurosci., (Jul. 30, 2014), https://www.frontiersin.org/
articles/10.3389/fnsys.2014.00136/full.
74. 45 C.F.R. part 46 (2018), https://www.ecfr.gov/cgi-bin/
retrieveECFR?gp=&SID=83cd09e1c0f5c6937cd9d7513160fc3f&pitd=20180719&n=pt45.1.46&r=PART&ty=HTML.
75. Connect2HealthFCC – Wireless Health and Medical Devices Background, FCC.gov (last accessed May. 16 2021), https://www.fcc.gov/general/
connect2healthfcc-wireless-health-and-medical-devices-background.
76. See Muse (last accessed, Oct. 31, 2021), https://choosemuse.com/.
77. The consent usually required for participation in a research project is different and separate than the consent for processing of personal data
for the purposes of the research project under the GDPR – see EDPB Q&A Document on processing of personal data for scientific health
research – https://edpb.europa.eu/sites/…reresearch_final (February 2021).
https://www.technologyreview.com/s/615148/a-new-implant-for-blind-people-jacks-directly-into-the-brain/
https://www.technologyreview.com/s/615148/a-new-implant-for-blind-people-jacks-directly-into-the-brain/
https://aabme.asme.org/posts/brain-computer-interface-the-most-investigated-areas-in-health-care-hold-a-promising-future
https://aabme.asme.org/posts/brain-computer-interface-the-most-investigated-areas-in-health-care-hold-a-promising-future
https://www.technologyreview.com/s/420756/wheelchair-makes-the-most-of-brain-control/
https://www.technologyreview.com/s/420756/wheelchair-makes-the-most-of-brain-control/
https://enabled.in/wp/brain-powered-wheelchair/
https://ieeexplore.ieee.org/document/8506382
https://www.csoonline.com/article/3296633/hacking-pacemakers-insulin-pumps-and-patients-vital-signs-in-real-time.html
https://www.csoonline.com/article/3296633/hacking-pacemakers-insulin-pumps-and-patients-vital-signs-in-real-time.html
https://arxiv.org/abs/2001.11569
https://www.frontiersin.org/articles/10.3389/fnsys.2014.00136/full
https://www.frontiersin.org/articles/10.3389/fnsys.2014.00136/full
https://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=83cd09e1c0f5c6937cd9d7513160fc3f&pitd=20180719&n=pt45.1.46&r=PART&ty=HTML
https://www.ecfr.gov/cgi-bin/retrieveECFR?gp=&SID=83cd09e1c0f5c6937cd9d7513160fc3f&pitd=20180719&n=pt45.1.46&r=PART&ty=HTML
https://www.fcc.gov/general/connect2healthfcc-wireless-health-and-medical-devices-background
https://www.fcc.gov/general/connect2healthfcc-wireless-health-and-medical-devices-background
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 36
78. GDPR, supra note 50, arts. 6(1) and 9(2)(i) and 9(2)(j) (2016), available at https://gdpr-info.eu/art-6-gdpr/.
79. European Commission, supra note 48.
80. See Valeria Marcia & Kevin C. Desouza, The EU Path Towards Regulation on Artificial Intelligence, Brookings (Apr. 26, 2021), https://www.
brookings.edu/blog/techtank/2021/04/26/the-eu-path-towards-regulation-on-artificial-intelligence/.
81. Id.
82. Melody Moore Jackson & Rudolph Mappus, “Applications for Brain-Computer Interfaces,” in Brain-Computer Interfaces: Applying our Minds
to Human-Computer Interaction, ed. Desney S. Tan and Anton Nijolt, (2010), London: Springer, 89–104.
83. Raw EEG recordings contain noise and require significant post-processing to provide even rudimentary interpretations. This runs counter to
common myths that raw EEG recordings alone can provide deep insight into the inner workings of the human mind and detailed explanations
of what the wearer is thinking.
84. Priya Singh, 10 Real Life Examples of BCI Devices That You Can Control With Your Thoughts, Analytics India Magazine (Nov. 20, 2017), https://
analyticsindiamag.com/10-times-companies-made-inexpensive-consumer-based-bci-devices-using-eeg/.
85. Diamond Feit, Hands On: NeuroBoy, a Game You Play With Your Brain, Wired (Oct. 1, 2009), https://www.wired.com/2009/10/adventures-of-neuroboy/.
86. Star Wars Science Force Trainer II Brain-Sensing Hologram Electronic Game, Amazon.com (last accessed Mar. 16, 2020), https://www.
amazon.com/Science-Trainer-Brain-Sensing-Hologram-Electronic/dp/B00X5CCDYQ.
87. Linxing Jiang et al., BrainNet: A Multi-Person Brain-to-Brain Interface for Direct Collaboration Between Brains, Scientific Reports (2019), 9:
6115, available at https://www.nature.com/articles/s41598-019-41895-7.
88. Sarah McQuate, How You and Your Friends Can Play a Video Game Together Using Only Your Minds, UW News (Jul. 1, 2019), https://www.
washington.edu/news/2019/07/01/play-a-video-game-using-only-your-mind/.
89. Lauren Goode, Get Ready to Hear a Lot More about ‘XR’, Wired (Jan. 5, 2019), https://www.wired.com/story/what-is-xr/.
90. Victor Tangermann, Expert: VR Headsets Should Have Brain Interfaces, Futurism (Mar. 26, 2019), https://futurism.com/brain-computer-interface-vr-headsets.
91. See Neurable (last accessed Mar. 17, 2020), https://www.neurable.com/; Other than EEG electrodes, companies are experimenting with other
non-invasive methods, such as fNIRS, integrated into HMDs.
92. Gera, supra note 33.
93. Id.
94. See e.g. Ryota Horie et al., A Hands-On Game by using a Brain-Computer Interface, and Immersive Head Mounted Display, and a Wearable
Gesture Interface, IEEE Global Conference on Consumer Electronics (GCCE) (2017), https://ieeexplore.ieee.org/document/8229324.
95. See e.g. Nataliya Kos’myna, Project AttentivU, MIT Media Lab (last updated Feb. 4, 2020), https://www.media.mit.edu/projects/attentivu/overview/.
96. See e.g. Seongah Chin & Chung-Yeon Lee, Personality Trait and Facial Expression Filter-Based Brain-Computer Interface, International
Journal of Advanced Robotic Systems (May 15, 2017), https://journals.sagepub.com/doi/full/10.5772/55665.
97. See e.g. Kyle Melnick, Sundance: Breathe is a Multi-Person Mixed Reality Experience Powered By Breathing, VRScout (Jan. 24, 2020),
https://vrscout.com/news/sundance-breath-multi-person-vr-breathing/.
98. See e.g. Neurowear (last accessed Sept. 24, 2021), https://neurowear.com/.
99. See OpenBCI (last accessed Feb. 16, 2021), https://openbci.com/.
100. Antony Vitillo, OpenBCI: Games Using Brain-Interfaces Coming in 3 Years, The Ghost Howls (Feb. 12, 2021), https://skarredghost.
com/2021/02/12/openbci-galea-valve-index-bci/amp/?__twitter_impression=true&s=0.
101. Tangermann, supra note 90; another prominent example of BCI technology combined with a VR HMD is the hardware developed by
NextMind; See NextMind (last accessed Jun. 11, 2021), https://www.next-mind.com/.
102. Luke Appleby, Gabe Newell Says Brain-Computer Interface Tech Will Allow Video Games Far Beyond What Human ‘Meat Peripherals’ Can
Comprehend, 1 News (Jan. 24, 2021), https://www.tvnz.co.nz/one-news/new-zealand/gabe-newell-says-brain-computer-interface-tech-allow-
video-games-far-beyond-human-meat-peripherals-can-comprehend.
103. Brittan Heller, Reimagining Reality: Human Rights and Immersive Technology, Carr Center for Human Rights Policy (Jun. 12, 2020), available
at https://carrcenter.hks.harvard.edu/files/cchr/files/ccdp_2020-008_brittanheller .
104. See Courtney Fiedman, Traffickers Targeting People Online More Than Ever Before, Experts Warning Parents, KSAT.com (Jan. 17, 2021),
https://www.ksat.com/news/local/2021/01/18/traffickers-targeting-people-online-more-than-ever-before-experts-warning-parents/.
105. 16 C.F.R. § 312 (1998, updated 2013).
106. Request for Public Comment on the Federal Trade Commission’s Implementation of the Children’s Online Privacy Protection Rule, 84 FR
35842 (proposed Jul. 25, 2019), https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-
federal-trade-commissions-implementation-of-the-childrens-online.
107. BIPA, supra note 43, 96. 740 ILL. COMP. STAT. ANN. 14/10.
108. WASH. REV. CODE § 19.35.010.
109. GDPR, supra note 50, art. 14(4) (2016), available at https://gdpr-info.eu/art-14-gdpr/.
110. CPRA, supra note 43.
111. See SmartCap (last accessed May 17, 2021), http://www.smartcaptech.com/.
112. Julie Weed, Wearable Tech That Tells Drowsy Truckers It’s Time to Pull Over, New York Times (Feb. 11, 2020), https://www.nytimes.
com/2020/02/06/business/drowsy-driving-truckers.html.
113. Id.
114. Kos’myna, supra note 95.
115. Erin Winick, With Brain-Scanning Hats, China Signals It Has No Interest in Workers’ Privacy, MIT Technology Review (Apr. 30, 2018), https://
www.technologyreview.com/f/611052/with-brain-scanning-hats-china-signals-it-has-no-interest-in-workers-privacy/.
116. Stephen Chen, ‘Forget The Facebook Leak’: China is Mining Data Directly From Workers’ Brains On an Industrial Scale, South China Morning
Post (Apr. 29, 2018), https://www.scmp.com/news/china/society/article/2143899/forget-facebook-leak-china-mining-data-directly-workers-brains.
https://analyticsindiamag.com/10-times-companies-made-inexpensive-consumer-based-bci-devices-using-eeg/
https://analyticsindiamag.com/10-times-companies-made-inexpensive-consumer-based-bci-devices-using-eeg/
https://www.wired.com/2009/10/adventures-of-neuroboy/
https://www.washington.edu/news/2019/07/01/play-a-video-game-using-only-your-mind/
https://www.washington.edu/news/2019/07/01/play-a-video-game-using-only-your-mind/
https://www.wired.com/story/what-is-xr/
https://futurism.com/brain-computer-interface-vr-headsets
https://www.media.mit.edu/projects/attentivu/overview/
Sundance: Breathe Is A Multi-Person Mixed Reality Experience Powered By Breathing
https://carrcenter.hks.harvard.edu/files/cchr/files/ccdp_2020-008_brittanheller
https://carrcenter.hks.harvard.edu/files/cchr/files/ccdp_2020-008_brittanheller
https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online
https://www.federalregister.gov/documents/2019/07/25/2019-15754/request-for-public-comment-on-the-federal-trade-commissions-implementation-of-the-childrens-online
https://gdpr-info.eu/art-14-gdpr/
https://www.nytimes.com/2020/02/06/business/drowsy-driving-truckers.html
https://www.nytimes.com/2020/02/06/business/drowsy-driving-truckers.html
https://www.technologyreview.com/f/611052/with-brain-scanning-hats-china-signals-it-has-no-interest-in-workers-privacy/
https://www.technologyreview.com/f/611052/with-brain-scanning-hats-china-signals-it-has-no-interest-in-workers-privacy/
https://www.scmp.com/news/china/society/article/2143899/forget-facebook-leak-china-mining-data-directly-workers-brains
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 37
117. Alexandre Gonfalonieri, What Brain-Computer Interfaces Could Mean for the Future of Work, Harvard Business Review (Oct. 6, 2020), https://
hbr.org/2020/10/what-brain-computer-interfaces-could-mean-for-the-future-of-work#.
118. See e.g. Sujatha K et al., Brain Computer Interface Technology in Polygraphy, 117 International Journal of Pure and Applied Mathematics 235
(2017), available at https://acadpubl.eu/jsi/2017-117-20-22/articles/22/44 .
119. See Caputron (last accessed Jun. 17, 2021), https://caputron.com; see also Best tDCS Device of 2021, tDCS.com (Jan. 20, 2021), https://www.
tdcs.com/best-tdcs-devices.
120. Royal Society, iHuman: Blurring Lines Between Mind and Machine, 42 (Sept. 2019), https://royalsociety.org/-/media/policy/projects/ihuman/
report-neural-interfaces .
121. Justin M. Nelson et al., The Effects of Transcranial Direct Current Stimulation (tDCS) on Multitasking Performance and Oculometrics, Military
Psychology (2019) 31(3): 212–226, available at https://www.tandfonline.com/doi/abs/10.1080/08995605.2019.1598217?journalCode=hmlp20.
122. Gonfalonieri, supra note 117.
123. Sarah Marsh, Neurotechnology, Elon Musk and the Goal of Human Advancement, The Guardian (Jan. 1, 2018), https://www.theguardian.com/
technology/2018/jan/01/elon-musk-neurotechnology-human-enhancement-brain-computer-interfaces.
124. Evelyn Arevalo, Neuralink Could Start The First Human Trials Later This Year, Tesmanian Blog (Feb. 8, 2021), https://www.tesmanian.com/
blogs/tesmanian-blog/neuralink.
125. John F. Burke et al., Brain Computer Interface to Enhance Episodic Memory in Human Participants, Front. Hum. Neurosci. (2014) 8: 1055,
https://www.frontiersin.org/articles/10.3389/fnhum.2014.01055/full.
126. Tech@Facebook, supra note 28.
127. Francis R. Willett et al., High-Performance Brain-To-Text Communication Via Handwriting, 593 Nature, 249-254 (May 12, 2021), https://www.
nature.com/articles/s41586-021-03506-2; Pavithra Rajeswaran & Amy L. Osborn, Neural Interface Translates Thoughts into Type, Nature (May
12, 2021), https://www.nature.com/articles/d41586-021-00776-8.
128. See Gabrielle Rejouis, Data, Camera, Busted: How Surveillance Interferes with the Right to Organize at Work, Center on Privacy &
Technology at Georgetown Law (May 6, 2020), https://medium.com/center-on-privacy-technology/data-camera-busted-how-surveillance-
interferes-with-the-right-to-organize-at-work-ea974763f328, discussing the chilling effects of worker surveillance.
129. Commercial, Smart Cap (last accessed Apr. 11, 2021), http://www.smartcaptech.com/industries/commercial/, arguing that drivers’ privacy is
protected because the technology does not use privacy-invasive in-cab cameras.
130. See e.g. Annie Palmer, Amazon is Using AI-Equipped Cameras in Delivery Vans and Some Drivers are Concerned About Privacy, CNBC
(Feb. 3, 2021), https://www.cnbc.com/2021/02/03/amazon-using-ai-equipped-cameras-in-delivery-vans.html.
131. See Jingxin Liu et al., Emotion Detection From EEG Recordings, 12th International Conference on Natural Computation, Fuzzy Systems and
Knowledge Discovery (ICNC-FSKD) (Aug. 13-15, 2016), https://ieeexplore.ieee.org/document/7603437.
132. See Hannah Devlin, AI Systems Claiming to ‘Read’ Emotions Pose Discriminatory Risks, The Guardian (Feb. 16, 2020), https://www.
theguardian.com/technology/2020/feb/16/ai-systems-claiming-to-read-emotions-pose-discrimination-risks.
133. Patricia Nilsson, How AI Helps Recruiters Track Jobseekers’ Emotions, Financial Times (Mar. 2, 2018), https://medium.com/financial-times/
how-ai-helps-recruiters-track-jobseekers-emotions-3dbd85ffeca0.
134. See Gabrice Jotterand & James Giordano, Transcranial Magnetic Stimulation, Deep Brain Stimulation and Personal Identity: Ethical
Questions, and Neurological Approaches for Medical Practice, 23:5 International Review of Psychiatry 476-485 (2011), available at https://
www.tandfonline.com/doi/full/10.3109/09540261.2011.616189, specifically discussing identity concerns in the medical context, but these
challenges could similarly impact employees using neurotechnology.
135. See Eran Klein et al., Brain-Computer Interface-Based Control of Closed-Loop Brain Stimulation: Attitudes and Ethical Considerations, 3:3
Brain Computer Interfaces 140-148 (2016), available at https://www.tandfonline.com/doi/full/10.1080/2326263X.2016.1207497.
136. Roberto Portillo-Lara et al., Mind the Gap: State-of-the-Art Technologies and Applications for EEG-Based Brain-Computer Interfaces, 5:3 APL
Bioengineering (2021), available at https://aip.scitation.org/doi/10.1063/5.0047237.
137. Electronic Communications Privacy Act (ECPA), Public Law 99-508, available at https://www.govinfo.gov/content/pkg/STATUTE-100/pdf/
STATUTE-100-Pg1848 .
138. Americans With Disabilities Act of 1990, Pub. L. No. 101-336, 104 Stat. 328 (1990), available at https://www.ada.gov/pubs/ada.htm.
139. U.S. Department of Labor, Bureau of Labor Statistics, Union Members – 2020 (Jan. 22, 2021), https://www.bls.gov/news.release/pdf/union2 .
140. AFL-CIO, AFL-CIO Commission on the Future of Work and Unions (Sept. 13, 2019), https://aflcio.org/reports/afl-cio-commission-future-work-and-unions.
141. GDPR, supra note 50, art. 7(4)(i).
142. 29 U.S.C. §§ 2001 – 2009 (2002), available at https://www.law.cornell.edu/uscode/text/29/chapter-22, for example EPPA exempts employer
use of polygraph exams for certain government employees, defense contract employees, certain employer investigations of employee theft
and drug-related conduct, and employees hired to perform security services.
143. See Katherine F. Mendez & Christina Jaremus, Future Employer: Are Humans with Microchips in Their Brains the Future of Work, Seyfarth
(May 19, 2021), https://www.seyfarth.com/news-insights/future-employer-are-humans-with-microchips-in-their-brains-the-future-of-work.
html#page=1, citing microchip laws in California, Oklahoma, and Missouri.
144. See e.g. Roy Cellan-Jones, Office Puts Chips Under Staff’s Skin, BBC (Jan. 29, 2015), https://www.bbc.com/news/technology-31042477.
145. See Christopher Wegemer, Brain-Computer Interfaces and Education: the State of Technology and Imperatives for the Future, International
Journal of Learning Technology 14(2): 141 (Jan. 2019), available at https://www.researchgate.net/publication/335486095_Brain-computer_
interfaces_and_education_the_state_of_technology_and_imperatives_for_the_future.
146. Martin Spüler et al., “Brain-Computer Interfaces for Educational Applications,” in Informational Environments: Effects of Use, Effective Designs, ed.
Jürgen Buder et al., (Oct. 2017), https://www.researchgate.net/publication/320378280_Brain-Computer_Interfaces_for_Educational_Applications.
147. Peter Gerjets & Friedrich Hesse. When Are Powerful Learning Environments Effective? The Role of Learner Activities and of Students’
Conceptions Of Educational Technology, International Journal of Educational Research (2004) 41(6): 445-465, https://www.sciencedirect.com/
science/article/abs/pii/S0883035505000595.
148. Spüler, supra note 146.
https://caputron.com
https://www.tdcs.com/best-tdcs-devices
https://www.tdcs.com/best-tdcs-devices
https://www.theguardian.com/technology/2018/jan/01/elon-musk-neurotechnology-human-enhancement-brain-computer-interfaces
https://www.theguardian.com/technology/2018/jan/01/elon-musk-neurotechnology-human-enhancement-brain-computer-interfaces
https://www.tesmanian.com/blogs/tesmanian-blog/neuralink
https://www.tesmanian.com/blogs/tesmanian-blog/neuralink
https://www.nature.com/articles/s41586-021-03506-2
https://www.nature.com/articles/s41586-021-03506-2
https://medium.com/center-on-privacy-technology/data-camera-busted-how-surveillance-interferes-with-the-right-to-organize-at-work-ea974763f328
https://medium.com/center-on-privacy-technology/data-camera-busted-how-surveillance-interferes-with-the-right-to-organize-at-work-ea974763f328
https://www.theguardian.com/technology/2020/feb/16/ai-systems-claiming-to-read-emotions-pose-discrimination-risks
https://www.theguardian.com/technology/2020/feb/16/ai-systems-claiming-to-read-emotions-pose-discrimination-risks
https://medium.com/financial-times/how-ai-helps-recruiters-track-jobseekers-emotions-3dbd85ffeca0
https://medium.com/financial-times/how-ai-helps-recruiters-track-jobseekers-emotions-3dbd85ffeca0
https://www.tandfonline.com/doi/full/10.3109/09540261.2011.616189
https://www.tandfonline.com/doi/full/10.3109/09540261.2011.616189
https://www.bls.gov/news.release/pdf/union2
https://aflcio.org/reports/afl-cio-commission-future-work-and-unions
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 38
149. John Sweller et al., Cognitive Architecture and Instructional Design, Educational Psychology Review (1998) 10(3): 251–296, https://www.
researchgate.net/publication/200772805_Cognitive_Architecture_and_Instructional_Design.
150. Sydney Johnson, This Company Wants to Gather Student Brainwave Data to Measure ‘Engagement’, EdSurge (Oct. 26, 2017), https://www.
edsurge.com/news/2017-10-26-this-company-wants-to-gather-student-brainwave-data-to-measure-engagement.
151. These headbands have since faced backlash for this application: see Jane Li, A “Brain-Reading” Headband for Students is Too Much Even
for Chinese Parents, Quartz (Nov. 5, 2019), https://qz.com/1742279/a-mind-reading-headband-is-facing-backlash-in-china/.
152. Nicole Kobie, Why Computers Won’t Be Reading Your Mind Anytime Soon, Wired UK (Mar. 12, 2020), https://www.wired.co.uk/article/brain-computer-interfaces.
153. Siobhan Ball, Glasses Act as a Shock Collar For Students Who Don’t Pay Attention, Daily Dot (Aug. 31, 2019), https://www.dailydot.com/
unclick/shock-student-glasses/.
154. Sydney Johnson, Brainwave Headsets Are Making Their Way Into Classrooms—For Meditation and Discipline, EdSurge (Nov. 17, 2017), https://
www.edsurge.com/news/2017-11-14-brainwave-headsets-are-making-their-way-into-classrooms-for-meditation-and-discipline.
155. See HARPA (last accessed May 17, 2021), https://www.harpa.org/.
156. See Jacqueline Alemany, White House Considers New Project Seeking Links Between Mental Health and Violent Behavior, Washington Post
(Aug. 22, 2019), https://www.washingtonpost.com/politics/2019/08/22/white-house-considers-new-project-seeking-links-between-mental-
health-violent-behavior/.
157. State Student Privacy Laws, Student Privacy Compass (last accessed May 16, 2021), https://studentprivacycompass.org/state-laws/.
158. 20 U.S.C. § 1232(g) (2001), available at https://www.law.cornell.edu/uscode/text/20/1232g.
159. U.S. Department of Education, Family Educational Rights and Privacy Act (FERPA) (last accessed Sept. 25, 2021), https://www2.ed.gov/policy/
gen/guid/fpco/ferpa/index.html.
160. U.S. Department of Education, Biometric Record (last accessed May 16, 2021), https://studentprivacy.ed.gov/content/biometric-record.
161. A Parent’s Guide to Student Data Privacy, ConnectSafely et. al. 3 (2015), https://www.connectsafely.org/wp-content/uploads/2015/04/
StudentDataPrivacy .
162. This report uses the terms “smart cities and smart communities” to refer to communities of all shapes and sizes with digital infrastructure.
163. See e.g. Smarter Cities, IBM (last accessed Jun. 17, 2021), https://www.ibm.com/smarterplanet/us/en/smarter_cities/solutions/planning_mgt_solutions/.
164. See Shedding Light on Smart City Privacy, FPF (last accessed Jun. 17, 2021), https://fpf.org/uncategorized/smart-cities/.
165. See Neurable, supra note 91.
166. See Trimble (last accessed May 17, 2021), https://www.trimble.com/.
167. Neurable and Trimble Partner to Explore the Use of Brain-Computer Interfaces For the Transportation and AEC Industries, Financial Release,
Trimble (Jan. 3, 2019), https://investor.trimble.com/news-releases/news-release-details/neurable-and-trimble-partner-explore-use-brain-computer.
168. Id.
169. Jiang, supra note 87.
170. For more information about Silent Talk, see 2010 Defense Department Budget, https://www.darpa.mil/attachments/(2G7)%20Global%20
Nav%20-%20About%20Us%20-%20Budget%20-%20Budget%20Entries%20-%20FY2010%20(Approved) ; see also Patrick Tucker,
It’s Now Possible to Telepathically Communicate with a Drone Swarm, Defense One (Sept. 6, 2018), https://www.defenseone.com/
technology/2018/09/its-now-possible-telepathically-communicate-drone-swarm/151068/.
171. Sung-Ja Choi & Byeong-Gwon Kang, Prototype Design and Implementation of an Automatic Control System Based on a BCI, Wireless
Personal Communications (2014) 79(4): 2551–2563, https://www.researchgate.net/publication/271659937_Prototype_Design_and_
Implementation_of_an_Automatic_Control_System_Based_on_a_BCI.
172. See e g. Autonomos Labs (last accessed May 17, 2021), https://autonomos.inf.fu-berlin.de/.
173. Paul Myles, Hyundai Claims Brainwave in Driver Health Monitoring, Automotive (Jul. 21, 2021), https://www.tu-auto.com/hyundai-claims-
brainwave-in-driver-health-monitoring/.
174. Id.
175. See Andrew London, I Flew a Drone with My Brain – But That’s Only the Beginning, Techradar (Mar. 24, 2018), https://www.techradar.com/
news/i-flew-a-drone-with-my-brain-but-thats-only-the-beginning.
176. For an overview of some of the emerging governance in this area, see Jeff Merritt et al., Governing Smart Cities: Policy Benchmarks for
Ethical and Responsible Smart City Development, World Economic Forum (Jul. 2021), available at https://www3.weforum.org/docs/WEF_
Governing_Smart_Cities_2021 .
177. Eben Harrell, Neuromarketing: What You Need to Know, Harvard Business Review (Jan. 23, 2019), https://hbr.org/2019/01/neuromarketing-
what-you-need-to-know#:~:text=%E2%80%9CNeuromarketing%E2%80%9D%20loosely%20refers%20to%20the,pricing%2C%20and%20
other%20marketing%20areas.
178. Sharad Agarwal & Tanusree Dutta, Neuromarketing and Consumer Neuroscience: Current Understanding and the Way Forward, 42(4)
DECISION, 457-462 (Nov. 2015), available at https://www.researchgate.net/publication/284234343_Neuromarketing_and_consumer_
neuroscience_current_understanding_and_the_way_forward.
179. Id.
180. Samuel M. McClure et al., Neural Correlates of Behavioral Preference for Culturally Familiar Drinks, Neuron (2004) 44(2): 379–387, available
at https://pubmed.ncbi.nlm.nih.gov/15473974/.
181. Id.
182. Id.
183. The Advertising Research Foundation encouraged its members to use neuromarketing technology in 2017. Introduction to Neuroscience and
Biometric Marketing Research Methods, The Advertising Research Foundation (Aug. 2017), http://thearf.org/wp-content/uploads/2018/02/
KAH-Neuroscience-FINAL-web .
184. For more information about the differences between fMRI and EEG, see Christoph Mulert, Simultaneous EEG and fMRI: Towards the Characterization of
Structure and Dynamics of Brain Networks, Dialogues Clin Neurosci. (Sept. 2013), available at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3811108/.
https://www.edsurge.com/news/2017-10-26-this-company-wants-to-gather-student-brainwave-data-to-measure-engagement
https://www.edsurge.com/news/2017-10-26-this-company-wants-to-gather-student-brainwave-data-to-measure-engagement
https://www.wired.co.uk/article/brain-computer-interfaces
Glasses act as a shock collar for students who don’t pay attention
Glasses act as a shock collar for students who don’t pay attention
https://www.harpa.org/
https://studentprivacy.ed.gov/content/biometric-record
https://www.trimble.com/
https://investor.trimble.com/news-releases/news-release-details/neurable-and-trimble-partner-explore-use-brain-computer
https://www.darpa.mil/attachments/(2G7)%20Global%20Nav%20-%20About%20Us%20-%20Budget%20-%20Budget%20Entries%20-%20FY2010%20(Approved)
https://www.darpa.mil/attachments/(2G7)%20Global%20Nav%20-%20About%20Us%20-%20Budget%20-%20Budget%20Entries%20-%20FY2010%20(Approved)
https://www.researchgate.net/publication/284234343_Neuromarketing_and_consumer_neuroscience_current_understanding_and_the_way_forward
https://www.researchgate.net/publication/284234343_Neuromarketing_and_consumer_neuroscience_current_understanding_and_the_way_forward
http://thearf.org/wp-content/uploads/2018/02/KAH-Neuroscience-FINAL-web
http://thearf.org/wp-content/uploads/2018/02/KAH-Neuroscience-FINAL-web
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3811108/
FUTURE OF PRIVACY FORUM | IBM | PRIVACY AND THE CONNECTED MIND | NOVEMBER 2021 39
185. See A Brief Overview of the Federal Trade Commission’s Investigative, Law Enforcement, and Rulemaking Authority, FTC (Oct. 2019), https://
www.ftc.gov/about-ftc/what-we-do/enforcement-authority.
186. NMSBA Code of Ethics, NMSBA (last accessed Jun. 17, 2021), https://www.nmsba.com/neuromarketing-companies/code-of-ethics.
187. See United Nations Convention on the Rights of the Child, General Comment on Children’s Rights in Relation to the Digital Environment
¶ 42 (2021), available at https://docstore.ohchr.org/SelfServices/FilesHandler.ashx?enc=6QkG1d%2fPPRiCAqhKb7yhsqIkirKQZLK2M-
58RF%2f5F0vEG%2bcAAx34gC78FwvnmZXGFUl9nJBDpKR1dfKekJxW2w9nNryRsgArkTJgKelqeZwK9WXzMkZRZd37nLN1bFc2t.
188. Charles N. Munyon, Neuroethics of Non-primary Brain Computer Interface: Focus on Potential Military Applications, Front. Neurosci. (Oct. 23,
2018), https://www.frontiersin.org/articles/10.3389/fnins.2018.00696/full.
189. Al Emondi, Next-Generation Nonsurgical Neurotechnology, DARPA (last accessed May 21, 2021), https://www.darpa.mil/program/next-
generation-nonsurgical-neurotechnology.
190. Paul Tullis, The US Military Is Trying to Read Minds, MIT Technology Review (Oct. 16, 2019), https://www.technologyreview.com/s/614495/us-
military-super-soldiers-control-drones-brain-computer-interfaces/.
191. See 2010 Defense Department Budget, supra note 170.
192. DARPA Public Affairs, Six Paths to the Nonsurgical Future of Brain-Machine Interfaces, DARPA (May 20, 2019), https://www.darpa.mil/news-
events/2019-05-20.
193. Kristin Houser, DARPA Is Using Gamers’ Brain Waves To Train Robot Swarms, Futurism (Feb. 8, 2020), https://futurism.com/the-byte/darpa-
gamers-brain-waves-train-robots-swarms.
194. Michael N. Tennison & Jonathan D. Moreno, Neuroscience, Ethics, and National Security: The State of the Art, PLoS Biology (Mar. 20, 2012),
https://journals.plos.org/plosbiology/article?id=10.1371/journal.pbio.1001289#s4.
195. Matthew Pava, Restoring Active Memory (RAM), DARPA (last accessed Sept. 25, 2021), https://www.darpa.mil/program/restoring-active-memory.
196. Anika Binnendijk, et al., Brain-Computer Interfaces: U.S. Military Applications and Implications, RAND Corporation (2020) 9, https://www.rand.
org/content/dam/rand/pubs/research_reports/RR2900/RR2996/RAND_RR2996 .
197. Id. at 22.
198. Id. at 23-23.
199. See Ragini Verma et al., Neuroimaging Findings in US Government Personnel with Possible Exposure to Directional Phenomena in Havana, Cuba, 322(4):
336-347 JAMA (Jul. 2019), available at https://jamanetwork.com/journals/jama/fullarticle/2738552?guestAccessKey=47486c47-c01c-47fa-8b6e-
41fc69f29cf4&utm_source=For_The_Media&utm_medium=referral&utm_campaign=ftm_links&utm_content=tfl&utm_term=072319.
200. George J. Annas, Military Medical Ethics—Physician First, Last, Always, New England Journal of Medicine (Sept. 11, 2008), 359(11): 1087-1090,
available at https://www.nejm.org/doi/full/10.1056/NEJMp0805975.
201. Munyon, supra note 188.
202. Annas, supra note 100.
203. Munyon, supra note 190.
204. Tennison, supra note 194.
205. Id.
206. Lucille Nalbach Tournas, If Police Have Devices That Can Read Your Mind, How Does the Fifth Amendment Fit In?, Slate (May 28, 2021),
https://slate.com/technology/2021/05/brain-computer-interface-mind-reading-fifth-amendment.html.
207. Tennison, supra note 194.
208. Constitutional reform text and procedural documents available at https://www.senado.cl/appsenado/templates/tramitacion/index.
php?boletin_ini=13827-19.
209. En histórica Votación, Aprueban Proyecto Del Ley Que Regulará Los Neuroderechos en Chile, La Tercera (Apr. 13, 2021), https://www.
latercera.com/que-pasa/noticia/en-historica-votacion-aprueban-proyecto-del-ley-que-regulara-los-neuroderechos-en-chile/4IAQJIVHM5F75G
RLAR2GQ27V24/.
210. Bill of Law Establishing Neuroprotection, available at https://www.senado.cl/appsenado/templates/tramitacion/index.php?boletin_ini=13828-19.
211. Nayef Al-Rodhan, The Rise of Neurotechnology Calls for a Parallel Focus on Neurorights, Scientific American (May 27, 2021), https://www.
scientificamerican.com/article/the-rise-of-neurotechnology-calls-for-a-parallel-focus-on-neurorights/.
212. Law No. 19.451, available at https://www.bcn.cl/leychile/navegar?idNorma=30818.
213. Abel Wajnerman Paz, Are Neural Data Protected by Bodily Integrity? A Discussion of the ‘Organic’ View on Neural Data Rights, Neuroethics
Blog (May 12, 2021), http://www.theneuroethicsblog.com/2020/05/are-neural-data-protected-by-bodily.html.
214. Id.
215. See Stacey Gray, Always On: Privacy Implications of Microphone-Enabled Devices, FPF (Apr. 2016), https://fpf.org/wp-content/
uploads/2016/04/FPF_Always_On_WP .
216. See Jules Polonetsky & Jeremy Greenberg, NSF Convergence Accelerator: The Future of Privacy Technology (C-Accel 1939288), FPF
(2020), https://fpf.org/wp-content/uploads/2020/03/NSF_FPF-REPORT_C-Accel1939288_Public .
217. See NIST, Cybersecurity Framework (Apr. 2018), available at https://www.nist.gov/cyberframework.
218. See e.g. IBM’s Multidisciplinary, Multidimensional Approach to AI Ethics (last accessed May 15, 2021), https://www.ibm.com/artificial-
intelligence/ethics; Artificial Intelligence and Ethics, Microsoft EU Policy Blog (last accessed Nov. 1, 2021), https://blogs.microsoft.com/
eupolicy/artificial-intelligence-ethics/; Sundar Pichai, AI at Google: Our Principles, The Keyword (Jun. 7, 2018), https://www.blog.google/
technology/ai/ai-principles/; Jerome Pesenti, AI at F8 2018: Open Frameworks and Responsible Development, Facebook Engineering (May
2, 2018), https://engineering.fb.com/2018/05/02/mlapplications/ai-at-f8-2018-open-frameworks-and-responsible-development/.
219. See e.g. Mark Roman Miller et al., Personal Identifiability of User Tracking Data During Observation of 360-Degree VR Video, 10 Scientific
Reports (Oct. 15, 2020), available at https://www.nature.com/articles/s41598-020-74486-y, showing that a pool of 511 de-identified
participants experiencing less than 5 minutes of VR could be identified, based on biometric tracking, by a random forest with 95% accuracy.
220. Heller, supra note 103.
221. See e.g. Rufin VanRullen & Leila Reddy, Reconstructing Faces from fMRI Patterns Using Deep Generative Neural Networks, 2
Communications Biology (2019), available at https://www.nature.com/articles/s42003-019-0438-y.
https://www.frontiersin.org/articles/10.3389/fnins.2018.00696/full
https://www.darpa.mil/program/next-generation-nonsurgical-neurotechnology
https://www.darpa.mil/program/next-generation-nonsurgical-neurotechnology
https://www.technologyreview.com/s/614495/us-military-super-soldiers-control-drones-brain-computer-interfaces/
https://www.technologyreview.com/s/614495/us-military-super-soldiers-control-drones-brain-computer-interfaces/
https://www.darpa.mil/news-events/2019-05-20
https://www.darpa.mil/news-events/2019-05-20
https://futurism.com/the-byte/darpa-gamers-brain-waves-train-robots-swarms
https://futurism.com/the-byte/darpa-gamers-brain-waves-train-robots-swarms
https://fpf.org/wp-content/uploads/2016/04/FPF_Always_On_WP
https://fpf.org/wp-content/uploads/2016/04/FPF_Always_On_WP
https://fpf.org/wp-content/uploads/2020/03/NSF_FPF-REPORT_C-Accel1939288_Public
https://www.nature.com/articles/s41598-020-74486-y
1400 EYE STREET NW | SUITE 450 | WASHINGTON, DC 20005 INFO@FPF.ORG | 202-768-8950
The Future of Privacy Forum (FPF) is a catalyst for privacy leadership and scholarship,
advancing responsible data practices in support of emerging technologies. FPF is based
in Washington, DC, and includes an advisory board comprising leading figures from
industry, academia, law, and advocacy groups. Learn more at fpf.org.
DATA PROTECTION
LAWS OF THE WORLD
Full Handbook
Downloaded: 20 June 2022
TABLE OF CONTENTS
Albania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Algeria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Angola . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Argentina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Armenia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Aruba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Australia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Austria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Azerbaijan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Bahamas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Bahrain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Bangladesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Barbados . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Belarus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Belgium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Benin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Bermuda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Bolivia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Bonaire, Sint Eustatius and Saba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Bosnia and Herzegovina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Botswana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
Brazil . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
British Virgin Islands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Brunei . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Bulgaria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Burkina Faso . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Burundi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Cambodia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Canada . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Cape Verde . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Cayman Islands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Chad . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Chile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
China . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Colombia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Costa Rica . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
Croatia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Cuba . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Curaçao . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Cyprus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Czech Republic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Democratic Republic of Congo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Denmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Dominican Republic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Ecuador . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Egypt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
El Salvador . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Equatorial Guinea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Estonia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Ethiopia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Fiji . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Finland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
France . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Gabon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Georgia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Germany . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Ghana . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Gibraltar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Greece . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Guatemala . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Guernsey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Guinea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
Haiti . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
Honduras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Hong Kong, SAR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Hungary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Iceland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
India . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Indonesia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Iran . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Ireland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Israel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Italy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Japan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
Jersey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
Jordan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
Kazakhstan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574
Kenya . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
Kosovo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
Kuwait . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Kyrgyzstan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
Laos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Latvia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
Lebanon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
Lesotho . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621
Liberia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
Libya . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630
Lithuania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
Luxembourg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Macau . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Madagascar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
Malaysia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
Malta . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
Mauritius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 689
Mexico . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
Moldova . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
Monaco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 709
Mongolia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
Montenegro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
Morocco . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 726
Mozambique . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 731
Myanmar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
Namibia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736
Nepal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738
Netherlands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 741
New Zealand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754
Nicaragua . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 762
Niger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 765
Nigeria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 770
North Macedonia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 778
Norway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 785
Pakistan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 798
Panama . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 802
Paraguay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 807
Peru . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 812
Philippines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 819
Poland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 827
Portugal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 843
Qatar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 857
Qatar – Financial Centre . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 862
Republic of Congo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 867
Romania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 870
Russia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 885
Rwanda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 890
Saudi Arabia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 896
Senegal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 901
Serbia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 907
Seychelles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 913
Singapore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918
Sint Maarten . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
Slovak Republic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 931
Slovenia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 945
South Africa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 956
South Korea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 963
Spain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 971
Sri Lanka . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 984
Sweden . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993
Switzerland . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1004
Taiwan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013
Tajikistan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
Tanzania . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1020
Thailand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1024
Tonga . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1029
Trinidad and Tobago . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1031
Tunisia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1035
Turkey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1039
Turkmenistan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1047
UAE – Abu Dhabi Global Market Free Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1050
UAE – Dubai (DIFC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1059
UAE – Dubai Health Care City Free Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1068
UAE – General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1072
Uganda . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1083
Ukraine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1087
United Kingdom . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1093
United States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1105
Uruguay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114
Uzbekistan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1118
Venezuela . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124
Vietnam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1128
Zambia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1136
Zimbabwe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1141
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 6 | | www.dlapiperdataprotection.com
I. INTRODUCTION
EU data protection legislation is facing huge changes. Data protection laws are built on fundamental rights enshrined in the Charter
of Fundamental Rights of the European Union which are the core building blocks of the EU’s legal regime. Privacy issues arising
from an exponential growth in consumer and mobile technologies, an increasingly connected planet and mass cross- border data
flows have pushed the EU to entirely rethink its data protection legislation to ensure that these fundamental rights are fully
protected in today’s digital economy.
In 2012, the European Commission published a draft regulation (the General Data Protection Regulation, ‘GDPR’). Just over four
years later, the final text of GDPR was published in the Official Journal of the European Union on April 27, 2016. Regulation
heralds some of the most stringent data protection laws in the world and has been in force since May 25, 2018. 2016/679
The previous EU Data Protection Directive (95/46/EC) was adopted in 1995. It was implemented differently by EU Member States
into their respective national jurisdictions, resulting in the fragmentation of national data protection laws within the EU. As it is a
Regulation, GDPR came into effect immediately on May 25, 2018 without any need for additional domestic legislation in EU
Member States. However, with more than 30 areas where Member States are permitted to legislate (differently) in their domestic
laws there will continue to be significant variation in both substantive and procedural data protection laws among the EU’s
different Member States.
With fines of up to 4% of total worldwide annual turnover for failing to comply with the requirements of GDPR, organizations
have had a great deal to do to comply with the new regime.
II. CURRENT SITUATION
After almost four years of often fractious negotiations, GDPR was published in the Official Journal of the European Union as
Regulation 2016/679 on April 27, 2016.
There was a two-year transition period to allow organizations and governments to adjust to the new requirements and
procedures. Following the end of this transitional period, the Regulation became directly applicable throughout the EU from May
25, 2018, without requiring implementation by the EU Member States through national law.
The goal of European legislators was to harmonize the previous legal framework, which was fragmented across Member States. A
‘Regulation’ (unlike a Directive) is directly applicable and has consistent effect in all Member States, and GDPR was intended to
increase legal certainty, reduce the administrative burden and cost of compliance for organizations that are active in multiple EU
Member States, and enhance consumer confidence in the single digital marketplace. However, in order to reach political
agreement on the final text there are more than 30 areas covered by GDPR where Member States are permitted to legislate
differently in their own domestic data protection laws. There continues to be room for different interpretation and enforcement
practices among the Member States. There is therefore likely to continue to be significant differences in both substantive and
procedural data protection laws and enforcement practice among EU Member States with GDPR in force.
We have summarized the key changes introduced by the GDPR in the following sections.
Key changes to the previous data protection framework include:
A. WIDER TERRITORIAL SCOPE
Where organizations are established within the EU
GDPR applies to processing of personal data “in the context of the activities of an establishment” (Article 3(1)) of any organization
within the EU. For these purposes “establishment” implies the “effective and real exercise of activity through stable arrangements”
(Recital 22) and “the legal form of such arrangements…is not the determining factor” (Recital 22), so there is a wide spectrum of
what might be caught from fully functioning subsidiary undertakings on the one hand, to potentially a single individual sales
representative depending on the circumstances.
Europe’s highest court, the Court of Justice of the European Union (the CJEU) has been developing jurisprudence on this concept,
https://www.dlapiperdataprotection.com
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 7 | | www.dlapiperdataprotection.com
recently finding ( , (C-131/12)) that Google Inc. with EU-based sales andGoogle Spain SL, Google Inc. v AEPD Mario Costeja Gonzalez
advertising operations (in that particular case, a Spanish subsidiary) was established within the EU. More recently, the same court
concluded ( (C-230/14)) that a Slovakian property website was also established in Hungary and therefore subjectWeltimmo v NAIH
to Hungarian data protection laws.
Where organizations are not established within the EU
Even if an organization is able to prove that it is not established within the EU, it will still be caught by GDPR if it processes
personal data of data subjects who are in the Union where the processing activities are related “to the offering of goods or
services” (Art 3(2)(a)) (no payment is required) to such data subjects in the EU or “the monitoring of their behavior” (Art 3(2)(b))
as far as their behavior takes place within the EU. Internet use profiling (Recital 24) is expressly referred to as an example of
monitoring.
Practical implications
1. Compared to the previous Directive, GDPR captures many more overseas organizations. US tech should particularly take note
as the provisions of GDPR have clearly been designed to capture them.
2. Overseas organizations not established within the EU who are nevertheless caught by one or both of the offering goods or
services or monitoring tests must designate a representative within the EU (Article 27).
B. TOUGHER SANCTIONS
Revenue-based fines
GDPR joins anti-bribery and anti-trust laws as having some of the very highest sanctions for non-compliance including
revenue-based fines of up to 4% of annual worldwide turnover.
To compound the risk for multinational businesses, fines are imposed by reference to the revenues of an undertaking rather than
the revenues of the relevant controller or processor. Recital 150 of GDPR states that ‘undertaking’ should be understood in
accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union which prohibit anti-competitive
agreements between undertakings and abuse of a dominant position. Unhelpfully the Treaty doesn’t define the term either and the
extensive case-law is not entirely straightforward with decisions often turning on the specific facts of each case. However, in many
cases group companies have been regarded as part of the same undertaking. This is bad news for multinational businesses as it
means that in many cases group revenues will be taken into account when calculating fines, even where some of those group
companies have nothing to do with the processing of data to which the fine relates provided they are deemed to be part of the
same undertaking. The assessment will turn on the facts of each case.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to 20,000,000 Euros or in the case of an undertaking up to 4% of total worldwide turnover
of the preceding year, whichever is higher apply to breach of:
the basic principles for processing including conditions for consent
data subjects’ rights
international transfer restrictions
any obligations imposed by Member State law for special cases such as processing employee data
certain orders of a supervisory authority
The lower category of fines (Article 83(4)) of up to 10,000,000 Euros or in the case of an undertaking up to 2% of total worldwide
turnover of the preceding year, whichever is the higher apply to breach of:
obligations of controllers and processors, including security and data breach notification obligations
obligations of certification bodies
obligations of a monitoring body
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 8 | | www.dlapiperdataprotection.com
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Broad investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
GDPR makes it considerably easier for individuals to bring private claims against data controllers and processors. In particular:
any person who has suffered “material or non-material damage” as a result of a breach of GDPR has the right to receive
compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that
individuals will be able to claim compensation for distress and hurt feelings even where they are not able to prove financial
loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80). Although this falls someway short of a US style class action right, it certainly increases the risk of group
privacy claims against consumer businesses. Employee group actions are also more likely under GDPR.
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
Practical implications
1. The scale of fines and risk of follow-on private claims under GDPR means that actual compliance is a must. GDPR is not a legal
and compliance challenge – it is much broader than that, requiring organizations to completely transform the way that they collect,
process, securely store, share and securely wipe personal data. Engagement of senior management and forming the right team is
key to successful GDPR readiness.
2. Organizations caught by GDPR need to map current data collection and use, carry out a gap analysis of their current
compliance against GDPR and then create and implement a remediation plan, prioritizing high risk areas.
3. GDPR requires suppliers and customers to review supply chains and current contracts. Contracts will need to be renegotiated
to ensure GDPR compliance and commercial terms will inevitably have to be revisited in many cases given the increased costs of
compliance and higher risks of non-compliance.
4. The very broad concept of ‘undertaking’ is likely to put group revenues at risk when fines are calculated, whether or not all
group companies are caught by GDPR or were responsible for the infringement of its requirements. Multinationals even with quite
limited operations caught by GDPR will therefore need to carefully consider their exposure and ensure compliance.
5. Insurance arrangements need to be reviewed and cyber and data protection exposure added to existing policies or purchased as
stand-alone policies where possible. The terms of policies require careful review as there is wide variation among wordings and
many policies may not be suitable for the types of losses which are likely to occur under GDPR.
C. MORE DATA CAUGHT
Personal data is defined as “any information relating to an identified or identifiable natural person.” (Article 4) A low bar is set for
“identifiable” – if anyone can identify a natural person using “all means reasonably likely to be used” (Recital 26) the information is
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 9 | | www.dlapiperdataprotection.com
personal data, so data may be personal data even if the organization holding the data cannot itself identify a natural person. A
name is not necessary either – any identifier will do such as an identification number, location data, an online identifier or other
factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30 with IP addresses, cookies and RFID tags all listed as examples.
Although the definition and recitals are broader than the equivalent definitions in the current Directive, for the most part they are
simply codifying current guidance and case law on the meaning of ‘personal data’.
GDPR also includes a broader definition of “special categories” (Article 9) of personal data which are more commonly known as
sensitive personal data. The concept has been expanded to expressly include the processing of genetic data and biometric data.
The processing of these data are subject to a much more restrictive regime.
A new concept of ‘pseudonymisation’ (Article 4) is defined as the processing of personal data in such a manner that the personal
data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional
information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not
attributed to an identified or identifiable natural person. Organizations which implement pseudonymization techniques enjoy
various benefits under GDPR.
Practical implications
1. If in any doubt, it is prudent to work on the assumption that data is personal data given the extremely wide definition of
personal data in GDPR.
2. GDPR imposes such a high bar for compliance, with sanctions to match, that often the most effective approach to minimize
exposure is not to process personal data in the first place and to securely wipe legacy personal data or render it fully anonymous,
reducing the amount of data subject to the requirements of GDPR.
3. Where a degree of identification is required for a specific purpose, the next best option is only to collect and use
pseudonymous data. Although this falls within the regulated perimeter, it enjoys a number of benefits for organizations in
particular that in the event of a data breach it is much less likely that pseudonymous data will cause harm to the affected
individuals, thereby also reducing the risk of sanctions and claims for the relevant organization.
4. Organizations should only use identifiable personal data as a last resort where anonymous or pseudonymous data is not
sufficient for the specific purpose.
D. SUPPLIERS (PROCESSORS) CAUGHT TOO
GDPR directly regulates data processors for the first time. The current Directive generally regulates controllers (i.e., those
responsible for determining the purposes and means of the processing of personal data) rather than ‘data processors’ –
organizations who may be engaged by a controller to process personal data on their behalf (e.g., as an agent or supplier).
Under GDPR, processors are required to comply with a number of specific obligations, including to maintain adequate
documentation (Article 30), implement appropriate security standards (Article 32), carry out routine data protection impact
assessments (Article 32), appoint a data protection officer (Article 37), comply with rules on international data transfers (Chapter
V) and cooperate with national supervisory authorities (Article 31). These are in addition to the requirement for controllers to
ensure that when appointing a processor, a written data processing agreement is put in place meeting the requirements of GDPR
(Article 28). Again, these requirements have been enhanced and gold-plated compared to the equivalent requirements in the
Directive.
Processors are directly liable to sanctions (Article 83) if they fail to meet these criteria and may also face private claims by
individuals for compensation (Article 79).
Practical implications
1. GDPR completely changes the risk profile for suppliers processing personal data on behalf of their customers. Suppliers now
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 10 | | www.dlapiperdataprotection.com
face the threat of revenue-based fines and private claims by individuals for failing to comply with GDPR. Telling an investigating
supervisory authority that you are just a processor won’t work; they can fine you too. Suppliers need to take responsibility for
compliance and assess their own compliance with GDPR. In many cases, this requires the review and overhaul of current
contracting arrangements to ensure better compliance. The increased compliance burden and risk requires a careful review of
business cases.
2. Suppliers need to decide for each type of processing undertaken whether they are acting solely as a processor or if their
processing crosses the line and renders them a data controller or joint controller, attracting the full burden of GDPR.
3. Customers (as controllers) face similar challenges. Supply chains need to be reviewed and assessed to determine current
compliance with GDPR. Privacy impact assessments need to be carried out. Supervisory authorities may need to be consulted. In
many cases contracts are likely to need to be overhauled to meet the new requirements of GDPR. These negotiations will not be
straightforward given the increased risk and compliance burden for suppliers. They will also be time consuming and it would be
sensible to start the renegotiation exercise sooner rather than later, particularly as suppliers are likely to take a more inflexible
view over time as standard positions are developed.
4. There are opportunities for suppliers to offer GDPR “compliance as a service” solutions, such as secure cloud solutions, though
customers will need to review these carefully to ensure they dovetail to their own compliance strategy.
E. DATA PROTECTION PRINCIPLES
The core themes of the data protection principles in GDPR remain largely as they were in the Directive, though there has been a
significant raising of the bar for lawful processing (see ) and a new principle of accountability hasHigher Bar for Lawful Processing
been added.
Personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”)
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”)
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”)
accurate and where necessary kept up-to-date (the “accuracy principle”)
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”)
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”)
The controller is responsible for and must be able to demonstrate compliance with the above principles (the accountability
principle).
Practical implications
1. Controllers need to assess and ensure compliance of data collection and use across their organizations with each of the above
principles as any failure to do so attracts the maximum category of fines of up to 20 million Euros / 4% of worldwide annual
turnovers. Data mapping, gap analysis and remediation action plans need to be undertaken and implemented.
2. The enhanced focus on accountability will require a great deal more papering of process flows, privacy controls and decisions
made to allow controllers to be able to demonstrate compliance. See Accountability and Governance
F. HIGHER BAR FOR LAWFUL PROCESSING
The lawfulness, fairness and transparency principle among other things requires processing to fall within one or more of the
permitted legal justifications for processing. Where special categories of personal data are concerned, additional much more
restrictive legal justifications must also be met.
Although this structure is present in the Directive, the changes introduced by GDPR will make it much harder for organizations to
https://www.dlapiperdataprotection.com
https://www.dlapiper.com/focus/eu-data-protection-regulation/key-changes
https://www.dlapiper.com/focus/eu-data-protection-regulation/key-changes/#accountability
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 11 | | www.dlapiperdataprotection.com
fall within the legal justifications for processing. Failure to comply with this principle is subject to the very highest fines of up to 20
million Euros or in the case of an undertaking up to 4% of annual worldwide turnover, whichever is the greater.
In particular:
The bar for valid consents has been raised much higher under GDPR. Consents must be fully unbundled from other terms
and conditions and will not be valid unless freely given, specific, informed and unambiguous (Articles 4(11) and 6(1)(a)).
Consent also attracts additional baggage for controllers in the form of extra rights for data subjects (the right to be
forgotten and the right to data portability) relative to some of the other legal justifications. Consent must be as easy to
withdraw consent as it is to give – data subjects have the right to withdraw consent at any time – and unless the
controller has another legal justification for processing any processing based on consent alone would need to cease once
consent is withdrawn.
To compound the challenge for controllers, in addition to a hardening of the requirements for valid consent, GDPR has
also narrowed the legal justification allowing data controllers to process in their legitimate interests. This justification also
appears in the Directive though the interpretation of the concept in the current regime has varied significantly among the
different Member States with some such as the UK and Ireland taking a very broad view of the justification and others
such as Germany taking a much more restrictive interpretation. GDPR has followed a more Germanic approach,
narrowing the circumstances in which processing will be considered to be necessary for the purposes of the legitimate
interests of the controller or a third party. In particular, the ground can no longer be relied upon by public authorities.
Where it is relied upon, controllers will need to specify what the legitimate interests are in information notices and will
need to consider and document why they consider that their legitimate interests are not overridden by the interests or
fundamental rights and freedoms of the data subjects, in particular where children’s data is concerned.
The good news is that the justification allowing processing necessary for the performance of a contract to which the data subject
is party or in order to take steps at the request of the data subject to enter into a contract is preserved in GDPR, though
continues to be narrowly drafted. Processing which is not necessary to the performance of a contract will not be covered. The
less good news for controllers relying on this justification is that it comes with additional burdens under GDPR, including the right
to data portability and the right to be forgotten (unless the controller is able to rely on another justification).
Other justifications include where processing is necessary for compliance with a legal obligation; where processing is necessary to
protect the vital interests of a data subject or another person where the data subject is incapable of giving consent; where
processing is necessary for performance of a task carried out in the public interest in the exercise of official authority vested in the
controller. These broadly mirror justifications in the previous Directive.
Processing for new purposes
It is often the case that organizations will want to process data collected for one purpose for a new purpose which was not
disclosed to the data subject at the time the data was first collected. This is potentially in conflict with the core principle of
purpose limitation and to ensure that the rights of data subjects are protected, GDPR sets out a series of considerations that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are a fresh consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Processing of special categories of personal data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 12 | | www.dlapiperdataprotection.com
As is the case in the Directive, GDPR sets a higher bar to justify the processing of special categories of personal data. These are
defined to include “data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union
membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person’s sex life or sexual orientation.” (Article 9(1)) Processing of these data are
prohibited unless one or more specified grounds are met which are broadly similar to the grounds set out in the Directive.
Processing of special categories of personal data is only permitted (Article 9(2)):
with the explicit consent of the data subject
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent
in limited circumstances by certain not-for-profit bodies
where processing relates to the personal data which are manifestly made public by the data subject
where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their
legal capacity
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1)
The justifications and conditions for processing special categories of data is one area where Member States are permitted to
introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data,
biometric data and health data.
Processing of personal data relating to criminal convictions and offenses
GDPR largely mirrors the requirements of the Directive in relation to criminal conviction and offences data. This data may only be
processed under official authority or when authorized by Union or Member State law (Article 10) which means this is another
area where legal requirements and practice is likely to diverge among the different Member States.
Practical Implications
1. Controllers need to ensure that they have one or more legal justifications to process personal data for each purpose. Practically
this will require comprehensive data mapping to ensure that all personal data within the extended enterprise (i.e. including data
processed by third parties as well as data within the organization) has a legal justification to be processed.
2. Consideration needs to be given as to which are the most appropriate justifications for different purposes and personal data,
given that some justifications attract additional regulatory burdens.
3. The common practice of justifying processing with generic consents needs to cease with GDPR in force. Consent comes with
many additional requirements under GDPR and as such is likely to be a justification of last resort where no other justifications are
available.
4. Where controllers propose to process legacy data for new purposes, they need to be able to demonstrate compliance with the
purpose limitation principle. To do that, controllers should document decisions made concerning new processing, taking into
account the criteria set out in GDPR and bearing in mind that technical measures such as encryption or psuedonymisation of data
will generally make it easier to prove that new purposes are compatible with the purposes for which personal data were originally
collected.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 13 | | www.dlapiperdataprotection.com
G. TRANSFERS
International transfers and particularly those to the US have regularly made front page headline news over the last 12 months with
the successful torpedoing of the EU/US Safe Harbor regime by Europe’s highest court. Organizations will be relieved to hear that
for the most part GDPR does not make any material changes to the previous rules for transfers of personal data cross-border,
largely reflecting the regime under the Directive. That said, in contrast to the previous regime where sanctions for breaching
transfer restrictions are limited, failure to comply with GDPR’s transfer requirements attract the highest category of fines of up to
20 million Euros or in the case of undertakings up to 4% of annual worldwide turnover.
Transfers of personal data to third countries outside the EU are only permitted where the conditions laid down in GDPR are met
(Article 44).
Transfers to third countries, territories or specified sectors or an international organization which the Commission has decided
ensures an adequate level of protection do not require any specific authorization (Article 45(1)). The adequacy decisions made
under the current Directive shall remain in force under GDPR until amended or repealed (Article 45(9)); so for the time being
transfers to any of the following countries are permitted: Andorra, Argentina, Canada (with some exceptions), Switzerland, Faeroe
Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
The well-publicized gap for transfers from the EU to US following the ruling that Safe Harbor is invalid will, it is hoped, be filled
with the new EU/US Privacy Shield.
Transfers are also permitted where appropriate safeguards have been provided by the controller or processor and on condition
that enforceable data subject rights and effective legal remedies for the data subject are available. The list of appropriate safeguards
include among other things binding corporate rules which now enjoy their own Article 47 under GDPR and standard contractual
clauses. Again, decisions on adequacy made under the Directive will generally be valid under GDPR until amended, replaced or
repealed.
Two new mechanics are introduced by GDPR to justify international transfers (Article 46(2)(e) and (f)): controllers or processors
may also rely on an approved code of conduct pursuant to Article 40 or an approved certification mechanism pursuant to Article
42 together in each case with binding and enforceable commitments in the third country to apply these safeguards including as
regards data subjects’ rights. GDPR also removes the need to notify and in some Member States seek prior approval of model
clauses from supervisory authorities.
GDPR includes a list of derogations similar to those included in the Directive permitting transfers where:
(a) explicit informed consent has been obtained
(b) the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person
(d) the transfer is necessary for important reasons of public interest
(e) the transfer is necessary for the establishment, exercise or defense of legal claims
(f) the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
(g) the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanic is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48)are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; otherwise transfer in response to such requests where
there is no other legal basis for transfer will breach GDPR’s restrictions.
Practical Implications
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 14 | | www.dlapiperdataprotection.com
1. Given the continued focus of the media and regulators on international transfer and the increased sanctions to be introduced by
GDPR, all controllers and processors need to carefully diligence current data flows to establish what types of data is being shared
with which organizations in which jurisdictions.
2. Current transfer mechanics need to be reviewed to assess compliance with GDPR and, where necessary, remedial steps
implemented before GDPR comes into force.
3. For intra-group transfers, consider binding corporate rules which not only provide a good basis for transfers but also help
demonstrate broader compliance with GDPR helping to comply with the principle of accountability.
H. DATA BREACH NOTIFICATION
One of the most profound changes to be introduced by GDPR is a European wide requirement to notify data breaches to
supervisory authorities and affected individuals.
In the US, and the hefty penalties for failing to notify havedata breach notification laws are now in force in all 50 States
fundamentally changed the way US organizations investigate and respond to data incidents. Not notifying has become a high risk
option.
In contrast, Europe previously had no universally applicable law requiring notification of breaches. In the majority of Member
States there was either no general obligation to notify or minimal sanctions for failing to do so; for many organizations not
notifying and thereby avoiding the often damaging media fall-out is still common practice in Europe. That fundamentally changes
with GDPR in force.
GDPR requires “the controller without undue delay, and where feasible, not later than 72 hours after having become aware of it,
[to] notify the … breach to the supervisory authority” (Article 33(1)). When the personal data breach is likely to result in a high
risk to the rights and freedoms of individuals the controller is also required to notify the affected individuals “without undue delay”
(Article 34). Processors are required to notify the controller without undue delay having become aware of the breach (Article
33(2)).
The notification to the regulator must include where possible the categories and approximate numbers of individuals and records
concerned, the name of the organization’s DPO or other contact, the likely consequences of the breach and the measures taken
to mitigate harm (Article 33(3)).
Although the obligation to notify is conditional on awareness, burying your head in the sand is not an option as controllers are
required to implement appropriate technical and organizational measures together with a process for regularly testing, assessing
and evaluating the effectiveness of those measures to ensure the security of processing (Article 32). Controllers are also required
to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory authority) and permit audits by
the supervisory authority.
Failing to comply with the articles relating to security and data breach notification attract fines of up to 10 million Euros or 2% of
annual worldwide turnover, potentially for both the controller and the processor. As data breach often leads to investigations by
supervisory authorities and often uncovers other areas of non-compliance, it is quite possible that fines of up to 20 million Euros
or 4% of annual worldwide turnover will also be triggered.
Practical implications
1. Notification will become the norm: Sweeping breaches under the carpet has become a very high risk option under GDPR.
Organizations that are found to have deliberately not notified can expect the highest fines and lasting damage to corporate and
individual reputations. Notifying and building data breach infrastructure to enable prompt, compliant notification will be a necessity
under GDPR.
2. A coordinated approach, including technology, breach response policy and training and wider staff training. Data breaches are
increasingly a business as usual event. Lost or stolen devices; emails sent to incorrect addresses in error and the continuing rise of
cybercrime means that for many organizations, data breaches are a daily occurrence. To deal with the volume of breaches,
https://www.dlapiperdataprotection.com
http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 15 | | www.dlapiperdataprotection.com
organization’s need a combination of technology, breach response procedures and staff training.
a. Technology requirements: these will vary for each organization but will typically include a combination of firewalls, log
recording, data loss prevention, malware detection and similar applications. There are an increasingly sophisticated array of
applications that learn what “normal” looks like for a particular corporate network to be able to spot unusual events more
effectively. The state of the art continues to change rapidly as organizations try to keep pace with sophisticated hackers. Regular
privacy impact assessments and upgrades of technology are required.
b. Breach response procedures: to gain the greatest protection from technology, investment is required in dealing with red flags
when they are raised by internal detection systems or notified from external sources. Effective breach response requires a
combination of skill sets including IT, PR and legal. Develop a plan and test it regularly.
c. Staff training: the weak link in security is frequently people rather than technology. Regular staff training is essential to raise
awareness of the importance of good security practices, current threats and who to call if a breach is suspected. It is also
important to avoid a blame culture that may deter staff from reporting breaches.
3. Consider privilege and confidentiality as part of your plan. Make sure that forensic reports are protected by privilege wherever
possible to avoid compounding the losses arising from a breach. Avoid the temptation to fire off emails when a breach is
suspected; pick up the phone. Don’t speculate on what might have happened; stick to the facts. Bear in mind that you may be
dealing with insider threat – such as a rogue employee – so keep any investigation on a strictly need to know basis and always
consider using external investigators if there is any possibility of an inside attack.
4. Appoint your external advisors today if you haven’t done so already. When a major incident occurs, precious time can be
wasted identifying and then retaining external support teams when you are up against a 72 hour notification deadline. Lawyers,
forensics and PR advisors should ideally be contracted well before they are needed for a live incident. Find out more about DLA
Piper’s breach response credentials and team.
5. Insurance: many insurers are now offering cyber insurance. However, there is a lack of standardization in coverage offered.
Limits are often too small for the likely exposure. Conditions are often inappropriate such as a requirement for the insured to
have fully complied with all applicable laws and its own internal policies which will rarely be the case. That said, it is usually possible
to negotiate better coverage with carriers in what continues to be a soft insurance market. Now is a good time to check the
terms of policies and work with your legal team and brokers to ensure that you have the best possible coverage. You should
clarify with brokers and underwriters what amounts to a notifiable incident to insurers under your policies as again there is no
common standard and failing to notify when required may invalidate cover. You should also ensure that your insurance policies
will cover the costs of your preferred external advisors as many policies will only cover advice from panel advisors.
6. Develop standard notification procedures: Perhaps the greatest challenge facing organizations and regulators is the sheer
volume of data breach and the lack of standards or guidance as to how breaches should be notified and at what point they become
notifiable. In the absence of guidance organization’s will need to make an informed decision as to how to develop internal
operations for the detection, categorization, investigation, containment and reporting of data breaches. Similarly, supervisory
authorities will need to develop standard approaches and standard categorizations of incidents to ensure that limited resources
are focused on the most serious incidents first.
I. MORE RIGHTS FOR INDIVIDUALS
GDPR builds on the rights enjoyed by individuals under the previous Directive, enhancing those rights and introducing a new right
to data portability. These rights are backed up with provisions making it easier to claim damages for compensation and for
consumer groups to enforce rights on behalf of consumers.
Transparency
One of the core building blocks of GDPR’s enhanced rights for individuals is the requirement for greater transparency. Various
information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and
plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data is obtained:
https://www.dlapiperdataprotection.com
https://www.dlapiper.com/services/intellectual-property-and-technology/cybersecurity/
https://www.dlapiper.com/services/intellectual-property-and-technology/cybersecurity/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 16 | | www.dlapiperdataprotection.com
the identity and contact details of the controller
the Data Protection Officer’s contact details (if there is one)
both the purpose for which data will be processed and the legal basis for processing including if relevant the legitimate
interests for processing
the recipients or categories of recipients of the personal data
details of international transfers
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this
the existence of rights of the data subject including the right to access, rectify, require erasure (the “right to be
forgotten”), restrict processing, object to processing and data portability; where applicable the right to withdraw consent,
and the right to complain to supervisory authorities
the consequences of failing to provide data necessary to enter into a contract
the existence of any automated decision making and profiling and the consequences for the data subject.
In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Slightly different transparency requirements apply (Article 14) where information have not been obtained from the data subject.
Subject access rights (Article 15)
These broadly follow the existing regime set out in the Directive though some additional information must be disclosed and there
is no longer a right for controllers to charge a fee, with some narrow exceptions. Information requested by data subjects must be
provided within one month as a default with a limited right for the controller to extend this period for up to three months.
Right to rectify (Article 16)
Data subjects continue to enjoy a right to require inaccurate or incomplete personal data to be corrected or completed without
undue delay.
Right to erasure (right to be forgotten)(Article 17)
This forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in
), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national forCase C-131/12
an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.
The right to be forgotten now has its own Article in GDPR. However, the right is not absolute; it only arises in quite a narrow set
of circumstances notably where the controller has no legal ground for processing the information. As demonstrated in the Google
Spain decision itself, requiring a search engine to remove search results does not mean the underlying content controlled by third
party websites will necessarily be removed. In many cases the controllers of those third party websites may have entirely
legitimate grounds to continue to process that information, albeit that the information is less likely to be found if links are
removed from search engine results.
The practical impact of this decision has been a huge number of requests made to search engines for search results to be removed
raising concerns that the right is being used to remove information that it is in the public interest to be accessible.
Right to restriction of processing (Article 18)
Data subjects enjoys a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data is no longer needed save for legal claims of the
data subject, or where the legitimate grounds for processing by the controller and whether these override those of the data
subject are contested.
Right to data portability (Article 20)
This is an entirely new right in GDPR and has no equivalent in the previous Directive. Where the processing of personal data is
justified either on the basis that the data subject has given their consent to processing or where processing is necessary for the
performance of a contract, or where the processing is carried out be automated means, then the data subject has the right to
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 17 | | www.dlapiperdataprotection.com
receive or have transmitted to another controller all personal data concerning them in a structured, commonly used and
machine-readable format.
The right is a good example of the regulatory downsides of relying on consent or performance of a contract to justify processing –
they come with various baggage under GDPR relative to other justifications for processing.
Where the right is likely to arise controllers need to develop procedures to facilitate the collection and transfer of personal data
when requested to do so by data subjects.
Right to object (Article 21)
The Directive’s right to object to the processing of personal data for direct marketing purposes at any time is retained.
In addition, data subjects have the right to object to processing which is legitimized on the grounds either of the legitimate
interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of
the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data
subject or that the processing is for the establishment, exercise or defense of legal claims.
The right not to be subject to automated decision making, including profiling (Article 22)
This right expands the Directive right not to be subject to automated decision making. GDPR expressly refers to profiling as an
example of automated decision making. Automated decision making and profiling “which produces legal effects concerning [the
data subject] … or similarly significantly affects him or her” are only permitted where
(a) necessary for entering into or performing a contract
(b) authorized by EU or Member State law, or
(c) the data subject has given their explicit i.e. opt-in) consent.(
The scope of this right is potentially extremely broad and may throw into question legitimate profiling for example to detect fraud
and cybercrime. It also presents challenges for the online advertising industry and website operators who will need to revisit
consenting mechanics to justify online profiling for behavioral advertising. This is an area where further guidance is needed on how
Article 22 will be applied to specific types of profiling.
Practical implications
1. Controllers need to review and update current fair collection notices to ensure compliance with the expanded information
requirements. Much more granular notices are required using plain and concise language.
2. Consideration should be given to which legal justifications for processing are most appropriate for different purposes, given that
some such as consent and processing for performance of a contract come with additional regulatory burden in the form of
enhanced rights for individuals.
3. For some controllers with extensive personal data held on consumers, it is likely that significant investment in customer
preference centers is required on the one hand to address enhanced transparency and choice requirements and on the other hand
to automate compliance with data subject rights.
4. Existing data subject access procedures should be reviewed to ensure compliance with the additional requirements of GDPR.
5. Policies and procedures need to be written and tested to ensure that controllers are able to comply with data subjects’ rights
within the time limits set by GDPR. In some cases, such as where data portability engages, significant investments may be required.
J. DATA PROTECTION OFFICERS
GDPR introduces a significant new governance burden for those organizations which are caught by the new requirement to
appoint a DPO. Although this was already a requirement for most controllers in Germany under previous data protection laws, it
is an entirely new requirement (and cost) for many organizations.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 18 | | www.dlapiperdataprotection.com
The following organizations must appoint a data protection officer (DPO) (Article 37):
public authorities
controllers or processors whose core activities consist of processing operations which by virtue of their nature, scope or
purposes require regular and systemic monitoring of data subjects on a large scale
controllers or processors whose core activities consist of processing sensitive personal data on a large scale.
DPOs must have “expert knowledge” (Article 37(5)) of data protection law and practices though perhaps in recognition of the
current shortage of experienced data protection professionals, it is possible to outsource the DPO role to a service provider
(Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which
relate to the protection of personal data” (Article 38(1)). The role is therefore a sizeable responsibility for larger controllers and
processors.
The DPO must directly report to the highest management level, must not be told what to do in the exercise of their tasks and
must not be dismissed or penalized for performing their tasks (Article 38(3)).
The specific tasks of the DPO are set out in GDPR including (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws
to monitor compliance with law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff
to advise and monitor data protection impact assessments
to cooperate and act as point of contact with the supervisory authority
Practical implications
1. Organizations need to assess whether or not they fall within one or more of the categories where a DPO is mandated. Public
authorities will be caught (with some narrow exceptions) as will many social media, search and other tech firms who monitor
online consumer behavior to serve targeting advertising. Many b2c businesses which regularly monitor online activity of their
customers and website visitors will also be caught.
2. There is currently a shortage of expert data protection officers as outside of Germany this is a new requirement for most
organizations. Organizations will therefore need to decide whether to appoint an internal DPO with a view to training them up
over the next couple of years or use one of the external DPO service providers several of which have been established to fill this
gap in the market. Organizations might consider a combination of internal and external DPO resources as given the size of the
task it may not be realistic for just one person to do it.
K. ACCOUNTABILITY AND GOVERNANCE
Accountability is a recurring theme of GDPR. Data governance is no longer just a case of doing the right thing; organizations need
to be able to prove that they have done the right thing to regulators, to data subjects and potentially to shareholders and the
media often years after a decision was taken.
GDPR requires each controller to demonstrate compliance with the data protection principles (Article 5(2)). This general
principle manifests itself in specific enhanced governance obligations which include:
Keeping a detailed record of processing operations (Article 30)
The requirement in previous data protection laws to notify the national data protection authority about data processing
operations was abolished and replaced by a more general obligation on the controller to keep extensive internal records
of their data protection activities. The level of detail required is far more granular compared to many previous Member
State notification requirements. There is some relief granted to organizations employing fewer than 250 people though the
exemption is very narrowly drafted.
Performing data protection impact assessment for high risk processing (Article 35)
A data protection impact assessment is a mandatory pre-requisite before processing personal data for processing which is
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 19 | | www.dlapiperdataprotection.com
likely to result in a high risk to the rights and freedoms of individuals. Specific examples are set out of high risk processing
requiring impact assessments including: automated processing including profiling that produce legal effects or similarly
significantly affect individuals; processing of sensitive personal data; and systematic monitoring of publicly accessible areas
on a large scale. DPOs, where in place, have to be consulted. Where the impact assessment indicates high risks in the
absence of measures to be taken by the controller to mitigate the risk, the supervisory authority must also be consulted
(Article 36) and may second guess the measures proposed by the controller and has the power to require the controller
to impose different or additional measures (Article 58).
Designating a data protection officer (Article 37) See Data Protection Officers
Notifying and keeping a comprehensive record of data breaches (Articles 33 and 34) See Data Breach Notification
Implementing data protection by design and by default (Article 25)
GDPR introduces the concepts of “data protection by design and by default.” “Data protection by design” requires taking
data protection risks into account throughout the process of designing a new process, product or service, rather than
treating it as an afterthought. This means assessing carefully and implementing appropriate technical and organizational
measures and procedures from the outset to ensure that processing complies with GDPR and protects the rights of the
data subjects.
“Data protection by default” requires ensuring mechanisms are in place within the organization to ensure that, by default,
only personal data which are necessary for each specific purpose are processed. This obligation includes ensuring that only
the minimum amount of personal data is collected and processed for a specific purpose; the extent of processing is limited
to that necessary for each purpose; the data is stored no longer than necessary and access is restricted to that necessary
for each purpose.
Practical implications
1. Data mapping: every controller and processor needs to carry out an extensive data audit across the organization and supply
chains, record this information in accordance with the requirements of Article 30 and have governance in place to ensure that the
information is kept up-to-date. The data mapping exercise is also be crucial to be able to determine compliance with GDPR’s
other obligations so this exercise should be commenced as soon as possible.
2. Gap analysis: Once the data mapping exercise is complete, each organization needs to assess its current level of compliance with
the requirements of GDPR. Gaps need to be identified and remedial actions prioritized and implemented.
3. Governance and policy for data protection impact assessments: the data mapping exercise should identify high risk processing.
Data protection impact assessments need to be completed and documented for each of these (frequently these will include third
party suppliers) and any remedial actions identified implemented. Supervisory authorities may need to be consulted. A procedure
needs to be put in place to standardize future data protection impact assessments and to keep existing impact assessments
regularly updated where there is a change in the risk of processing.
4. Data protection by design and by default: in part these obligations will be addressed through implementing remedial steps
identified by the gap analysis and in data protection impact assessments. However, to ensure that data protection by design and by
default is delivered, extensive staff and supplier engagement and training will also be required to raise awareness of the importance
of data protection and to change behaviors.
L. DEROGATIONS
European data protection laws today are in many cases substantively very different among Member States. This is partly due to the
ambiguities in the Directive being interpreted and implemented differently, and partly due to the Directive permitting Member
States to implement different or additional rules in some areas. As GDPR will become law without the need for any secondary
implementing laws, there will be a greater degree of harmonization relative to the current regime. However, GDPR preserves the
right for Member States to introduce different laws in many important areas and as a result we are likely to continue to see a
patchwork of different data protection laws among Member States, for certain types of processing.
Each Member State is permitted to restrict the rights of individuals and transparency obligations (Article 23) by legislation when
the restriction “respects the essence of fundamental rights and freedoms and is a necessary and proportionate measure in a
democratic society” to safeguard one of the following:
https://www.dlapiperdataprotection.com
https://www.dlapiper.com/focus/eu-data-protection-regulation/key-changes/#data protection officers
https://www.dlapiper.com/focus/eu-data-protection-regulation/key-changes/#data breach notification
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 20 | | www.dlapiperdataprotection.com
(a) national security
(b) defense
(c) public security
(d) the prevention, investigation, detection or prosecution of breaches of ethics for regulated professions, or crime, or the
execution of criminal penalties
(e) other important objectives of general public interest of the EU or a Member State, in particular economic or financial interests
(f) the protection of judicial independence and judicial proceedings
(g) a monitoring, inspection or regulatory function connected with national security, defense, public security, crime prevention,
other public interest or breach of ethics
(h) the protection of the data subject or the rights and freedoms of others
(i) the enforcement of civil law claims
To be a valid restriction for the purposes of GDPR, any legislative restriction must contain specific provisions setting out:
(a) the purposes of processing
(b) the categories of personal data
(c) the scope of the restrictions
(d) the safeguards to prevent abuse or unlawful access or transfer
(e) the controllers who may rely on the restriction
(f) the permitted retention periods
(g) the risks to the rights and freedoms of data subjects
(h) the right of data subjects to be informed about the restriction, unless prejudicial to the purpose of the restriction
In addition to these permitted restrictions, Chapter IX of GDPR sets out various specific processing activities which include
additional derogations, exemptions and powers for Member States to impose additional requirements. These include:
processing and freedom of expression and information (Article 85)
processing and public access to official documents (Article 86)
processing of national identification numbers (Article 87)
processing in the context of employment (Article 88)
safeguards and derogations to processing for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes (Article 89)
obligations of secrecy (Article 90)
existing data protection rules of churches and religious associations (Article 91)
These special cases also appeared in the Directive, though in some cases have been amended or varied in GDPR.
Practical implications
1. Controllers and processors first need to determine which Member States’ laws apply to their processing activities and whether
processing will be undertaken within any specific processing activities which may be subject to additional restrictions.
2. These Member State laws then need to be checked to determine what additional requirements engage. Changes in law need to
be monitored and any implications for processing activities addressed.
3. Derogations pose a challenge to multi-national organizations seeking to implement standard European-wide solutions to address
compliance with GDPR; these need to be sufficiently flexible to allow for exceptions where different rules engage in one or more
Member State.
M. CROSS-BORDER ENFORCEMENT
The ideal of a one-stop-shop ensuring that controllers present in multiple Member States would only have to answer to their lead
home regulator failed to make it into the final draft. GDPR includes a complex, bureaucratic procedure allowing multiple
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 21 | | www.dlapiperdataprotection.com
‘concerned’ authorities to input into the decision making process.
The starting point for enforcement of GDPR is that controllers and processors are regulated by and answer to the supervisory
authority for their main or single establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities and there are powers for
a supervisory authorities in another Member State to enforce where infringements occur on its territory or substantially affects
data subjects only in its territory (Article 56(2)).
In situations where multiple supervisory authorities are involved in an investigation or enforcement process there is a cooperation
procedure (Article 60) involving a lengthy decision making process and a right to refer to the consistency mechanism (Articles 63 –
65) if a decision cannot be reached, ultimately with the European Data Protection Board having the power to take a binding
decision.
There is an urgency procedure (Article 66) for exceptional circumstances which permits a supervisory authority to adopt
provisional measures on an interim basis where necessary to protect the rights and freedoms of data subjects.
Practical implications
1. Controllers and processors need to determine which Member States’ supervisory authorities have jurisdiction over their
processing activities; which is the lead authority and which other supervisory authorities may have jurisdiction.
2. An important aspect of managing compliance risk is to try to stay on the right side of your regulator by engaging positively with
any guidance published and taking up opportunities such as training and attending seminars.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 22 | | www.dlapiperdataprotection.com
DATA PROTECTION AND PRIVACY GROUP KEY CONTACTS
Americas
Europe, Middle East and Africa
Asia Pacific
Jennifer Kashatus
Partner
T +1 202 799 4448
jennifer.kashatus@dlapiper.com
Kate Lucente
Partner and Co-Editor,
Data Protection Laws of
the World
T +1 813 222 5927
kate.lucente@dlapiper.com
Andrew Serwin
Partner, Global
Co-Chair Data
Protection, Privacy and
Security Group
T +1 858 677 1418
andrew.serwin@dlapiper.com
Andrew Dyson
Partner, Global
Co-Chair Data
Protection, Privacy and
Security Group
T +44 (0)113 369 2403
andrew.dyson@dlapiper.com
Ewa Kurowska-Tober
Partner, Global
Co-Chair Data
Protection, Privacy and
Security Group
T +48 22 540 74 1502
ewa.kurowska-tober@dlapiper.com
Denise
Lebeau-Marianna
Partner
T + 33 (0)1 40 15 24 98
denise.lebeau-marianna@dlapiper.com
Diego Ramos
Partner
T +349 17901658
diego.ramos@dlapiper.com
Richard van Schaik
Partner
T +31 20 541 9828
richard.vanschaik@dlapiper.com
Carolyn Bigg
Partner, Global
Co-Chair of Data
Protection, Privacy and
Security Group
T +852 2103 0576
carolyn.bigg@dlapiper.com
Nicholas Boyle
Partner
T +61 2 9286 8479
nicholas.boyle@dlapiper.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World 23 | | www.dlapiperdataprotection.com
EDITORS
James Clark
Senior Associate and
Co-Editor, Data
Protection Laws of the
World
T +44 113 369 2461
james.clark@dlapiper.com
Kate Lucente
Partner and Co-Editor,
Data Protection Laws of
the World
T +1 813 222 5927
kate.lucente@dlapiper.com
Lea Lurquin
Associate and
Contributing Editor,
Data Protection Laws of
the World
T +1 415 615 6024
lea.lurquin@dlapiper.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 24 | | | www.dlapiperdataprotection.com
ALBANIA
Last modified 22 December 2021
LAW
The Republic of Albania regulates personal data protection pursuant to Law No. 9887, dated 10 March 2008 “On Protection of
Personal Data”, as amended (” “) (Official Gazette of the Republic of Albania No. 44, dated 1 April 2008).Data Protection Law
The Data Protection Law was last amended in 2014, thus it is yet to be harmonized with the Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data (” “). GDPR
The complete harmonization of the current Albanian legislation in force on data protection with the GDPR has been one of the
main objectives of the Office of Information and Data Protection Commissioner since 2018, however this objective has yet to be
achieved (due in part to the Covid-19 pandemic).
DEFINITIONS
Definition of Personal Data
Data Protection Law defines personal data as any information relating to an identified or identifiable natural person, directly or
indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological,
mental, economic, cultural or social identity.
Definition of Sensitive Personal Data
Data Protection Law defines sensitive data as any information related to a natural person referring to his racial or ethnic origin,
political opinions, trade union membership, religious or philosophical beliefs, criminal prosecution, as well as data concerning his
health and sexual life.
NATIONAL DATA PROTECTION AUTHORITY
The Right to Information and Data Protection Commissioner (the ” “) is the Albanian independent authority inCommissioner
charge of supervising and monitoring the protection of personal data and the right to information by respecting and guaranteeing
the fundamental human rights and freedoms in compliance with the legal framework.
The Commissioner is a public legal person, elected by the Parliament upon a proposal of the Council of Ministers for a 5-year
term, eligible for re-election. The Parliament also designates the organizational structure of the Commissioner’s Office.
The information obtained by the Commissioner while exercising his duties shall be used only for supervisory purposes in
compliance with the legislation on the protection of personal data. The Commissioner shall remain under the obligation of
confidentiality even after the termination of his functions.
The Commissioner is seated at Rr. “Abdi Toptani”, Nd. 5, 1001, Tirana, Albania.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 25 | | | www.dlapiperdataprotection.com
REGISTRATION
Data Protection Law provides for the legal obligation of every controller to notify the Commissioner on the processing of
personal data for which it is responsible. The notification shall be made before the controller processes the data for the first time,
or when a change of the processing notification status is required.
The notification shall contain the name and address of the controller, the purpose of personal data processing, the categories of
data subjects and personal data, the recipients and categories of the recipients of personal data, the proposal on the international
transfers that the controller aims to carry out and a general description of the measures for the security of personal data. The
notification is done either online, on the website of the Commissioner, or manually, by submitting the competed notification form
to the Commissioner’s Office.
The information submitted by the data controller through the notification, except for the general description of the measures for
the security of personal data, shall be published by the Commissioner’s Office on the Electronic Register of Controllers which is
accessible by the public on the .official website
The notification process and the publication of the information it contains is fundamental to ensure transparency for the public and
consequently to protect personal data. Through the access to the Electronic Register of Controllers, the public has the means of
understanding how personal data are processed by the controlling entities.
The failure of the controlling entities to comply with the obligation to notify the Commissioner constitutes an administrative
offence and is punishable by a fine.
However, there are cases when the controllers are exempted from the notification obligation as follows:
The processing of personal data is performed in order to keep a register, which in accordance with the law or sub-legal
acts provides information for the public;
The processing of personal data is performed in order to protect the constitutional institutions, national security interests,
foreign policies, economic or financial interests of the state, or for the prevention or prosecution of criminal offences;
The processing of data is done pursuant to Decision of the Commissioner No. 4 “On the Determination of the Cases
Exempted from the Notification Obligation of the Personal Data which are Processed”, dated 27 December 2012.
DATA PROTECTION OFFICERS
In compliance with the responsibility to issue instructions on measures to be undertaken for the activity of specific sectors, the
Commissioner has issued two instructions:
Instruction No. 22 “On the Determination of Rules for Maintaining the Security of Personal Data Processed by Small
Processing Entities”, dated 24 September 2012, as amended.
Small processing entities shall mean the controllers or processors that process personal data by way of electronic or manual
means, by fewer than six processing persons, either directly or through processors.
Instruction No. 47 “On the Determination of Rules for Maintaining the Security of Personal Data Processed by Large
Processing Entities”, dated 14 September 2018.
Large processing entities shall mean the controllers or processors that process personal data by way of electronic or manual
means, by six or more processing persons, either directly or through processors.
Personal data processing entities are responsible for the internal supervision of the protection of the processed personal data.
Each subject that is subject to instruction no. 47, dated 14 September 2018 (i.e., large processing entities), shall authorize in
writing at least one Data Protection Officer (” “) who shall be charged to carry out theDPO (Albanian terminology: Contact Person)
internal supervision. Small processors contracted by large processors are also advised to appoint a DPO.
Instruction no. 47, dated 14 September 2018 determines the criteria that a person must fulfil in order to be appointed as a DPO,
https://www.dlapiperdataprotection.com
https://www.idp.al/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 26 | | | www.dlapiperdataprotection.com
as well as the duties and responsibilities of a DPO, which include, among others:
the internal supervision of the fulfilment of the obligations for the protection of personal data by the personal data
processing entity;
the implementation of technical, organizational and staff related measures;
the necessary cooperation with the Commissioner;
etc.
COLLECTION & PROCESSING
Data Protection Law states that fair and lawful processing is one of the core principles for the protection of personal data.
Personal data shall be collected and/or processed for specific, clearly defined and legitimate purposes.
Personal data protection is based on data adequacy, data which are relevant to the purpose of their processing and not excessive
in relation to such purpose, as well as data accuracy, data which are updated and complete.
Additionally, the data are to be kept in a form that allows the identification of data subjects for no longer than it is necessary for
the purpose for which they were collected or further processed.
Data Protection Law provides for the legal criteria for personal data processing, sensitive data processing and special processing of
data.
Personal data may be processed only:
with the consent of the personal data subject;
if necessary, for the performance of a contract to which the data subject is a party or in order to negotiate or amend a
draft/contract at the request of the data subject;
to protect the vital interests of the data subject;
to comply with a legal obligation of the controller;
for the performance of a legal task of public interest or in exercise of powers of the controller or of a third party to
whom the data are disclosed;
if the processing is necessary for the protection of the legitimate rights and interests of the controller, the recipient or any
other interested party. However, in any case, the processing of personal data cannot be in clear contradiction with the
data subject’s right to protection of personal life and privacy.
The processing of personal data in the field of national security, criminal law and crime prevention, shall be performed by official
authorities as stipulated in the law.
The controller or processor that processes personal data for the purpose of offering business opportunities or services may use
personal data obtained from a public data list. The controller or processor cannot process these data further, if the data subject
has expressed his disagreement or has objected their further processing.
It should be noted that additional personal data cannot be added to the data obtained from the public data list without the consent
of the data subject. However, the controller is allowed to keep these personal data in its filing system even after the data subject
has objected the processing. Such data can be used only if the data subject gives his content.
Collection of personal data which is related to a data subject solely for reasons of direct marketing is allowed only if the data
subject has given his explicit consent.
Sensitive data may be processed only if:
the data subject has given his consent, which may be revoked at any given moment making any further processing of data
illegal;
it is in the vital interest of the data subject or another person and the data subject is physically or mentally incapable of
giving his consent;
it is authorized by the responsible authority for an important public interest, under adequate safeguards;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 27 | | | www.dlapiperdataprotection.com
it is related to data which are widely made known by the data subject or it is necessary, for exercising/protecting a legal
right;
the data are processed for historic, scientific or statistical purposes, under adequate safeguards;
the data are required for the purposes of preventive medicine, medical diagnosis, the provision of health care, treatment
or management of health care services and the data are used by the medical personnel or other persons with the
obligation to preserve confidentiality;
the data are processed by non-profit political, philosophical or religious organizations and trade unions for purposes of
their legitimate activity, only for members, sponsors, or other persons related to their activity. These data shall not be
disclosed to a third party without the consent of the data subject unless otherwise stipulated by law.
the data processing is necessary for the purpose of fulfilling the legal obligations and specific rights of the controller in the
field of employment in compliance with the Labour Code.
Special processing of data:
Processing for historical, scientific and statistical purposes:
Personal data collected for any purpose, may be further processed for historic, scientific or statistical purposes, provided that the
data is not processed in order to take measures or decisions related to an individual.
The transmission of sensitive data for scientific research shall take place only in case of an important public interest. Personal data
shall be used exclusively by individuals who are bound by the obligation of confidentiality. When data processing is made in a
manner that allows the identification of the data subject, the data should be encrypted immediately in order for the subjects to be
no longer identifiable. Encrypted personal data shall be used exclusively by individuals bound by the obligation of confidentiality.
Processing of personal data and freedom of expression:
The Commissioner has issued an Instruction No. 31, dated 27 December 2012 “On the Determination of the Conditions and
Criteria for the Exemption from the relevant Obligations in Personal Data Processing for Journalism, Literature or Artistic
Purposes”. The exemptions for these purposes shall be allowed up to the extent that they reconcile the right of personal data
protection with the rules governing the right to freedom of expression.
TRANSFER
The international transfer of personal data may be carried out with recipients from states which have an adequate level of personal
data protection. The level of personal data protection for a state is established by assessing all circumstances related to the nature,
purpose and duration of the processing, the country of origin and final destination, as well as the legal provisions and security
standards in force in the recipient state.
Pursuant to the Decision of the Commissioner No. 8, dated 31 October 2016 the following states have an adequate level of data
protection:
European Union member states;
European Economic Area states;
Parties to the Convention No. 108 of the Council of Europe “For the Protection of Individuals with regard to Automatic
Processing of Personal Data”, as well as its 1981 Protocol, which have approved a special law and set up a supervisory
authority that operates in complete independence, providing appropriate legal mechanisms, including handling complaints,
investigating and ensuring the transparency of personal data processing;
States where personal data may be transferred, pursuant to a decision of the European Commission.
International transfer of personal data with a state that does not have an adequate level of personal data protection may be done
if:
it is authorized by international acts ratified by the Republic of Albania and are directly applicable;
the data subject has given his consent for the international transfer;
the transfer is necessary for the performance of a contract between the data subject and the controller or for the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 28 | | | www.dlapiperdataprotection.com
implementation of pre-contractual measures taken in addressing a request of the data subject, or the transfer is necessary
for the conclusion or performance of a contract between the controller and a third party, in the interest of the data
subject;
it is a legal obligation of the controller;
it is necessary for protecting vital interests of the data subject;
it is necessary or constitutes a legal requirement over an important public interest or for exercising and protecting a legal
right;
it is done from a register that is open for consultation and provides information to the general public.
Pursuant to the Data Protection Law, the Commissioner issues instructions in order to allow certain categories of personal data
to be transferred to a state that does not have an adequate level of personal data protection. In these cases, the controller is
exempted from the authorization request. Accordingly, the Commissioner has issued the Instruction No. 41, dated 13 June 2014
“On Allowing some Categories of International Transfers of Personal Data in a Country that does not have an Adequate Level of
Personal Data Protection”.
Controllers wishing to transfer personal data to other countries lacking adequate personal data protection, may fill in an
application form “For the Approval of the Transfer of Personal Data to a State that does not have an Adequate Level of Data Protection,
through the Authorization of the Commissioner”.
In 2014, the Commissioner has also issued a Manual on the International Transfer of Personal Data which provides guidelines to
the international transfer of personal data.
The exchange of personal data with the diplomatic representations of foreign governments or international institutions in the
Republic of Albania shall be considered an international transfer of data.
SECURITY
Data Protection Law introduces the obligation of the data controller or processor to undertake appropriate organizational and
technical measures to protect personal data from unlawful or accidental destruction, accidental loss, or from being accessed or
disclosed by unauthorized persons, as well as from any kind of unlawful processing.
The controller is under the obligation to document the measures it has undertaken to ensure protection of personal data, in
compliance with the law and other legal regulations.
The data controller undertakes the following special security measures:
defines the functions among the organizational units and the operators for the use of data;
the use of data shall be done by order of authorized organizational units or operators;
instructs all operators on their obligations arising from the data protection legal framework;
prohibits access of unauthorized persons to the working facilities of the data controller or processor;
data and programs shall be accessed only by authorized persons;
prohibits access to and use of the filing system by unauthorized persons;
data processing equipment shall be operated only with an authorization and every device shall be secured with preventive
measures against unauthorized operation;
records and documents data alteration, rectification, erasure, transfer etc.
The level of security shall be in compliance with the nature of personal data processing. The Commissioner has established the
detailed rules for personal data security by means of Decision No. 6, dated 05 August 2013 “On the Determination of Detailed
Rules for the Security of Personal Data”.
The recorded data may only be used in accordance with their collection purpose, unless they are used to guarantee national
security, public security, for the prevention or investigation of a criminal offence, or prosecution of the author thereof, or of any
infringement of ethics of the regulated professions.
The data documentation shall be kept for as long as it is necessary for their collection purpose.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 29 | | | www.dlapiperdataprotection.com
The obligation of confidentiality and integrity of the controllers, processors and any other persons that come to know the content
of the processed data while exercising their duty shall survive the termination of their functions. The processed data shall not be
disclosed unless provided otherwise by law. Anyone acting under the authority of the controller or the processor shall not
process the personal data to which they have access, without the authorization of the controller, unless obliged by law.
BREACH NOTIFICATION
Data Protection Law does not provide for a general obligation of the data controller or data processor to notify the
Commissioner in case of personal data breach.
However, pursuant to Instruction No. 47, dated 14 September 2018 “On the Determination of Rules for Maintaining the Security
of Personal Data Processed by Large Processing Entities”, which, as mentioned above applies only to large data processing entities,
the DPO shall promptly notify the large data processing entity in writing of any risk of violation of the data subjects’ rights,
including in case of the violation of personal data protection legislation.
In the event that, following the notification of the DPO, the large data processing entity fails to take appropriate measures to
address the problem in a timely manner, the DPO notifies the Commissioner without delay. Therefore, in case of breach of data
handled by a large data processing entity, resulting from the violation of violation of the data subjects’ rights, or from the violation
of personal data protection legislation, which has not been addressed effectively, the DPO has the obligation to notify the
Commissioner.
It should also be noted, that pursuant to an opinion of the Commissioner on the protection of personal data on the websites of
public and private controllers, data subjects have the right to be notified by the data controller if their personal data have been
compromised (data has been lost or stolen, or if their online privacy is likely to be negatively affected). To the best of our
understanding the opinion expressed by the Commissioner in this opinion, merely serves as a guideline and has not a binding
effect.
On the other hand, Law No. 9918, dated 19 May 2008 “On Electronic Communications in the Republic of Albania”, as amended (”
“), (Official Gazette of the Republic of Albania No. 84, dated 10 June 2008) provides forElectronic Communications Law
another breach notification procedure.
The Electronic Communications Law defines personal data breach as any breach of security leading to the destruction, loss, alteration or
unauthorized distribution, accidental or unlawful, or access to personal data transmitted, stored or processed, in connection with the provision
of an electronic communications service available to the public.
Pursuant to article 122 of the Electronic Communications Law, entrepreneurs of public electronic communications networks and
services are under the obligation to, individually or when necessary, in cooperation with each-other, implement technical and
organizational measures, to ensure the security of networks and/or services, provided by them.
These measures are meant to ensure an adequate level of protection and security of personal data against potential, foreseeable
risks. With respect to the personal data of the users, entrepreneurs of public electronic communications networks and services
are under the obligation to inform their users about any specific risk, how the risk can be reduced by the users, as well as the
possible costs, which must be covered by the user, if the risk that happens is beyond the measures that the entrepreneur can
take.
In addition, in case of personal data breach, the entrepreneur who provides electronic communications services available to the
public promptly notifies the Authority of Electronic and Postal Communications (” “). When the breach of personal dataAEPC
may adversely affect the personal data and privacy of the subscriber or individual, the entrepreneur shall also promptly notify the
said subscriber or individual.
However, if the entrepreneur has proved to the AEPC that it has implemented the necessary technological protection measures
and these measures have been applied to the relevant data, then the entrepreneur is not required to notify the subscriber or the
individual of the violation of personal data. These technological safeguards ensure that the personal data become illegible to any
person who does not have authorized access to the data.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 30 | | | www.dlapiperdataprotection.com
ENFORCEMENT
The Commissioner is the competent authority for the supervision and enforcement of Data Protection Law. The Commissioner
has the right to:
conduct administrative investigations, have access to personal data processing and collect all the necessary information in
order to fulfil his supervisory obligations;
order the blocking, erasure, destruction or suspension of the unlawful processing of personal data;
give instructions prior to the processing of data and ensure their publication.
In cases of recurring or intentional serious infringement of the Data Protection Law by a controller or processor, the
Commissioner acts in compliance with article 39 of Data Protection Law and reports the case publicly or reports it to the
Parliament and the Council of Ministers.
Article 39 (1) of Data Protection Law specifies that data processing in violation of the Data Protection Law constitutes
administrative offences and may be subject to administrative fines which vary from 10,000 ALL (approx. 83 EUR) to 1,000,000 ALL
(approx. 8300 EUR), with legal persons being subject to double the amount specified herein.
Data Protection Law also states that the fine is doubled when the following provisions are breached:
When the data subject has filed a complaint, the controller shall have no right to make any changes to the personal data
until a final decision is reached.
The Commissioner is responsible for authorizing, in special cases, the use of personal data for purposes not designated
during the phase of their collection in compliance with the principles of the Data Protection Law.
The sanctioned subject may appeal the fine in court within the deadlines and according to the procedures that regulate the
administrative trials.
Fines shall be paid no later than 30 days from their issuing. When the deadline expires, the decision becomes an executive title and
is executed in a mandatory manner by the bailiff’s office, upon request of the Commissioner. Fines are cashed in the state budget.
In case the offence consists in a crime, the Commissioner files the relevant criminal charges with the competent law enforcement
authorities.
ELECTRONIC MARKETING
Data Protection Law provides that the collection of personal data related to a data subject, solely for reasons of direct marketing
is allowed only if the data subject has given his explicit consent.
Data Protection Law defines direct marketing as the communication of the promotional material, by every means and way, using personal
data of legal or natural persons, agencies or other entities with or without interference.
Moreover, the data subject has the right to demand the controller not to start processing, or in case the processing has started, to
stop processing personal data related to him for the purposes of direct marketing and to be informed in advance before personal
data are disclosed for the first time for such purpose.
The Commissioner has issued an Instruction no. 06, dated 28 May 2010 “On the correct use of SMSs for promotional purposes,
advertising, information, direct sales, via mobile phone”. This instruction emphasizes the importance of the prior consent given by
the data subject.
In addition, pursuant to article 124 of the Electronic Communications Law, electronic communications service providers may
process traffic data for marketing purposes only after prior approval by the subscriber. Subscribers should be informed on the
type of traffic data being processed, before give approval for their processing. Subscribers and users have the right to withdraw to
any time from the approval they have made.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 31 | | | www.dlapiperdataprotection.com
ONLINE PRIVACY
The Data Protection Law does not provide for regulatory measures targeting cookies. Accordingly, the general data protection
rules, as provided for by the Data Protection Law apply to online privacy as well.
Although there are no specific regulatory measures under the data protection regulatory framework, the Commissioner has tried
to provide some clarifications on the notion of cookies and on their use, albeit in a minimalist way.
The Commissioner has defined the cookies in an online dictionary as some data stored on the computer, which contain specific
This rudimentary definition is further complemented by a short explanation which states that cookies information. allow any server
to know what pages have been visited recently, just by reading them.
In addition, the Commissioner has issued an opinion (which is slightly dated and as mentioned above does not have a binding effect
on the data controllers) on the protection of personal data on the websites of public and private controllers. In this opinion the
Commissioner reminds the data controllers on their obligations per the Data Protection Law and on the rights of data subjects,
which apply to online personal data collection:
The right to be fully informed and to give their approval if a website (or an application) processes their data;
The right to keep their online communications secret (including email, the computer’s IP or modem No.);
The right to be notified if their personal data are compromised (data has been lost or stolen, or if their online privacy is
likely to be negatively affected);
The right to request that their personal data to be excluded from data processing for direct marketing if they have not
given their consent.
Furthermore, in this opinion the Commissioner emphasizes the importance for data controllers to adopt privacy policies, which
should include, inter alia:
The identity of the controller;
The information collected from the users, specifying the category of personal data;
Specific policies regarding cookies and other technologies that allow data controllers to gather information on the users
that use the website and to notify the latter about their use.
In addition to the above, it should be noted that the Electronic Communication Law (articles 124 -126), introduces rules on the
processing of location data.
Under these rules, electronic communication providers may process traffic data only as long as such data is necessary for the
purpose of the transmission of the communication’s transmission and thereafter must delete such data or render them
anonymous.
Electronic communications service providers must provide in the contract entered into with the user details on the storage, the
duration and the manner of processing of the traffic data. The Electronic Communication Law provides that these traffic data can
be processed only by the relevant persons which are authorized by the electronic communications service providers, namely
those who are responsible for billing or traffic management, customer service, marketing, fraud detection, or the provision of
added value services, provided that the processing of traffic data should be limited only to the scope of their respective activity.
In addition, the Electronic Communication Law provides that the processing of location data can be carried out for the duration
value added services and only if the data is rendered anonymous or if the user has granted their prior consent, which consent may
be revoked at any time.
Prior to obtaining the consent of the users, the electronic communications service providers must provide information on:
the type of location data to be processed;
the purposes and duration of processing;
the possibility that the location data be shared with third parties, for value-added service purposes.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Albania 32 | | | www.dlapiperdataprotection.com
The location data can be processed only by the relevant persons which are authorized by the electronic communications service
providers, namely those who are responsible for the provision of the service or by third parties which are responsible for the
provision of added value services, provided that the processing of traffic data should be limited only to the scope of their
respective activity.
KEY CONTACTS
Tashko Pustina
tashkopustina.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Flonia Tashko
Partner
T +35542389190
flonia.tashko@tashkopustina.com
Alban Shanaj
Senior Associate
T +35542389190
alban.shanaj@tashkopustina.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Algeria 33 | | | www.dlapiperdataprotection.com
ALGERIA
Last modified 22 December 2021
LAW
Law No. 18-07 of 10 June 2018 on protection of natural persons in personal data processing (“ ”).Law No. 18-07
DEFINITIONS
Definition of Personal Data
Any information, regardless of the medium, relating to an identified or identifiable person, hereinafter referred to as “data subject”,
directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her
physical, physiological, genetic, biometric, mental, economic, cultural or social identity.
Definition of Sensitive Personal Data
Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of
the data subject or relating to health, including genetic data.
NATIONAL DATA PROTECTION AUTHORITY
An independent administrative authority for the protection of personal data, known as the “national authority”, is hereby
established, with its headquarters in Algiers.
The national authority is responsible for ensuring that the processing of personal data is carried out in accordance with the
provisions of the law and for ensuring that the use of information and communication technologies does not pose a threat to the
rights of individuals, public freedoms and privacy.
However, although Law No. 18-07 provides for the existence of a national authority, it has not yet been set up.
REGISTRATION
Any processing of personal data is subject to prior declaration to or authorisation by the national authority.
The prior declaration, which includes an undertaking that the processing will be carried out in accordance with Law No. 18-07, is
filed with the national authority. It may be made by electronic means.
However, as the national authority has not yet been set up, this procedure is not yet applicable.
DATA PROTECTION OFFICERS
The data controller shall implement appropriate technical and organisational measures to protect personal data against accidental
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Algeria 34 | | | www.dlapiperdataprotection.com
or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing
involves the transmission of data over a network, and against all other unlawful forms of processing.
COLLECTION & PROCESSING
Personal data processing may only be processed with the express consent of the data subject. The data subject may withdraw
his/her consent at any time.
However, in some cases, consent is not required if the processing is necessary.
The person concerned by the collection of their data has a right to information, a right of access, a right of rectification and a right
to object to their data being collected.
TRANSFER
The data controller may only transfer personal data to a foreign State with the authorisation of the national authority in
accordance with Law No. 18-07 and if that State ensures an adequate level of protection of the privacy and fundamental rights and
freedoms of individuals with regard to the processing of such data.
In any case, it is forbidden to communicate or transfer personal data to a foreign country, when such transfer is likely to affect
public security or the vital interests of the State.
However, as the national authority has not yet been established, the consent of the data subject is required.
SECURITY
The controller must put in place measures to ensure the integrity and protection of the data.
These measures must ensure a level of security appropriate to the risks presented by the processing and the nature of the data to
be protected.
If the processing is carried out on behalf of the controller, the controller must choose a processor providing sufficient guarantees
in respect of the technical and organisational security measures relating to the processing to be carried out and must ensure
compliance with those measures.
Transfer of data abroad
The foreign State must ensure an adequate level of protection of the privacy and fundamental rights and freedoms of individuals
with regard to data processing.
The adequacy of the level of protection provided by a State is assessed in particular by the security measures applicable there.
BREACH NOTIFICATION
Administrative measures
In case of violations of the provisions of Law No. 18-07 by the controller, administrative measures are taken by the national
authority:
warning;
formal notice;
provisional withdrawal for a period not exceeding one year, or definitive withdrawal of the declaration receipt or
authorisation;
a fine.
The national authority may also impose fines on the controller which:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Algeria 35 | | | www.dlapiperdataprotection.com
refuses, without legitimate reason, the rights of information, access, rectification or opposition;
fails to make the required notifications to the national authority.
Criminal sanctions
Violation of the provisions of Law No. 18-07 is punishable by imprisonment and/or a fine.
However, as the national authority has not yet been established, the related sanctions are not applicable.
Mandatory breach notification
Where the processing of personal data over electronic communication networks results in the destruction, loss, alteration,
disclosure or unauthorised access of such data, the service provider must notify the national authority and the data subject
without delay where such a breach may affect the privacy of the data subject.
Failure by a service provider to notify the national authority or the data subject of a personal data breach is punishable by
imprisonment and a fine.
ENFORCEMENT
The application of the sanctions listed under the above headings is relatively limited, as the national authority is not yet
established.
However, offences committed by the data controller may be subject to criminal prosecution (without the need for action by the
national authority).
ELECTRONIC MARKETING
Law No. 18-05 of 10 May 2018 on electronic commerce provides that the e-provider who collects personal data and builds up
customer and prospect files must only collect the data necessary to conclude commercial transactions. It must:
collect the consent of e-consumers prior to the collection of data;
guarantee the security of information systems and the confidentiality of data;
comply with the relevant legislative and regulatory provisions.
ONLINE PRIVACY
Not applicable.
KEY CONTACTS
L& P Partners
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Benaouda Miloudi
Associate
T +213 (7) 93 99 92 34
bmiloudi@dz-lpp.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Algeria 36 | | | www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Angola 37 | | | www.dlapiperdataprotection.com
ANGOLA
Last modified 30 December 2021
LAW
Angola regulates data privacy and protection issues under the Data Protection Law (Law no. 22/11, 17 June 2011), the Electronic
Communications and Information Society Services Law (Law no. 23/11, 20 June 2011) and the Protection of Information Systems
and Networks Law (Law no. 7/17, 16 February 2017).
DEFINITIONS
Definition of personal data
The Data Protection Law defines personal data as any given information, regardless of its nature, including images and sounds
related to a specific or identifiable individual.
An identifiable person is an individual directly or indirectly identified, notably, by reference to his or her identification number or
to the combination of specific elements of his or her physical, physiological, mental, economic, cultural or social identity.
Definition of sensitive personal data
The Data Protection Law defines sensitive personal data as personal data related to:
Philosophical or political beliefs
Political affiliations or trade union membership
Religion
Private life
Racial or ethnic origin
Health or sex life (including genetic data)
NATIONAL DATA PROTECTION AUTHORITY
The Data Protection Law establishes the (APD) as Angola’s data protection authority. APD’s OrganicAgência de Proteção de Dados
Statute was stablished by the Presidential Decree 214/2016 of October 10, and it’s board currently in office was nominated by the
Presidential Decree 277/2019 September 6.
REGISTRATION
As provided by Law, entities shall provide prior notice to, or obtain prior authorization from, APD (depending on the type of
personal data and purpose of processing) to process personal data. Please note that in the case of authorization, compliance with
specific legal conditions is mandatory. APD has authority to exempt certain processing from notification requirements.
Generally, notification and authorization requests should include the following:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Angola 38 | | | www.dlapiperdataprotection.com
The name and address of the controller and of its representative (if applicable)
The purposes of the processing
A description of the data subject categories and the personal data related to those categories
The recipients or under which categories of recipient to whom the personal data may be communicated and respective
conditions
Details of any third party entities responsible for the processing
The possible combinations of personal data
The duration of personal data retention
The process and conditions for data subjects to exercise their rights
Any predicted transfers of personal data to third countries
A general description (to allow APD to assess whether security measures adopted are suitable to protect personal data in
its processing)
DATA PROTECTION OFFICERS
There is no requirement to appoint a data protection officer.
COLLECTION & PROCESSING
Generally, entities must obtain prior express consent from data subjects and provide prior notice to the APD to lawfully collect
and process personal data. However, data subject consent is not required in certain circumstances provided by law.
To lawfully collect and process sensitive personal data, a legal provision must allow for processing and entities must obtain prior
authorization from APD (please note that the authorization may only be granted in specific cases provided by law). If sensitive
personal data processing results from a legal provision, APD must be provided with notice.
All data processing must follow these general principles: transparency, legality, good faith, proportionality, truthfulness and respect
to private life as well as to legal and constitutional guarantees.
It is also mandatory that data processing is limited to the purpose for which the data is collected and that personal data is not held
for longer than is necessary for that purpose.
There are specific rules applicable to the processing of personal data related to the following:
Sensitive data on health and sexual life
Illicit activities, crimes and administrative offenses
Solvency and credit data
Video surveillance and other electronic means of control
Advertising by email
Advertising by electronic means (direct marketing)
Call recording
Specific rules for the processing of personal data within the public sector also apply.
TRANSFER
International transfers of personal data to countries with an adequate level of protection require prior notification to the APD. An
adequate level of protection is understood as a level of protection equal to the Angolan Data Protection Law. APD decides which
countries ensure an adequate level of protection by issuing an opinion to this respect.
International transfers of personal data to countries that do not ensure an adequate level of protection are subject to prior
authorization from the APD, which will only be granted if specific requirements are met. For transfers between companies in the
same group, the requirement of an adequate level of protection may be reached through the adoption of harmonized and
mandatory internal rules on data protection and privacy.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Angola 39 | | | www.dlapiperdataprotection.com
Please note that the communication of personal data to a recipient, a third party or a subcontracted entity is subject to specific
legal conditions and requirements.
SECURITY
Data controllers must implement appropriate technical and organizational measures and adopt adequate security levels to protect
personal data from accidental or unlawful total or partial destruction, accidental loss, total or partial alteration, unauthorized
disclosure or access (in particular where the processing involves the transmission of data over a network) and against all other
unlawful forms of processing.
Such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to
be protected, relative to the entities facilities and implementation costs. Specific security measures shall be adopted regarding
certain type of personal data and purposes (notably, sensitive data, call recording and video surveillance).
Under the Protection of Information Systems and Networks Law, service providers, operators and companies offering information
society services must: (i) guarantee the security of any device or set of devices used in the storage, processing, recovery or
transmission of computer data on execution of a computer program and (ii) promote the registration of users as well as the
implementation of technical measures in order to anticipate, detect and respond to risk situations. The Law requires an accident
and incident management plan in case of a computer emergency.
BREACH NOTIFICATION
There is no mandatory breach notification requirement under the Data Protection Law.
However, pursuant to the Electronic Communications and Information Society Services Law, companies offering electronic
communications services accessible to the public shall, without undue delay, notify the APD and the Electronic Communications
Authority, , (INACOM) of any breach of security committed with intent or that recklessly leadsInstituto Angolano das Comunicações
to destruction, loss, partial or total modification or non-authorized access to personal data transmitted, stored, retained or in any
way processed under the offer of electronic communications services.
Companies offering electronic communications services accessible to the public shall also keep an accurate register of data
breaches, indicating the concrete facts and consequences of each breach and the measures put in place to repair or prevent the
breach.
The same applies under Protection of Information Systems and Networks Law.
ENFORCEMENT
Data protection
As mentioned above, the competent authority for the enforcement of Data Protection Law is the APD. However, considering that
the APD was recently created, the level of enforcement is not significant at this stage.
Electronic communications
INACOM regulates and monitors compliance with the Electronic Communications and Information Society Services Law, and
issues penalties for its violation. Presently, INACOM’s level of enforcement is not yet significant.
ELECTRONIC MARKETING
The dissemination of electronic communications for advertising purposes is generally subject to the prior express consent of its
recipient (opt-in) and to prior notification to APD.
Entities may process personal data for electronic marketing purposes without data subject consent in specific circumstances,
notably:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Angola 40 | | | www.dlapiperdataprotection.com
When advertising is addressed to the data subject as representative employee of a corporate person, and
When advertising communications are sent to an individual with whom the product or service supplier has already
concluded a transaction, provided an opportunity to refuse consent was expressly provided to the customer at the time
of the transaction at no additional cost.
ONLINE PRIVACY
The Electronic Communications and Information Society Services Law establishes the right of all Citizens to enjoy protection
against abuse or violations of their rights through the Internet or other electronics means, such as:
The right to confidentiality of communications and to privacy and non-disclosure of their data
The right to security of their information by improvement of quality, reliability and integrity of the information systems
The right to security on the Internet, specifically for minors
The right not to receive spam
The right to the protection and safeguarding of their consumer rights and as users of networks or electronic
communications services
In view of the above, entities are generally prohibited from storing any kind of personal data without prior consent of the user.
This does not prevent technical storage or access for the sole purpose of carrying out the transmission of a communication over
an e-communication network or if strictly necessary in order for the provider of an information society service to provide a
service expressly requested by the subscriber or user.
Traffic data
The processing of traffic data is allowed when required for billing and payment purposes, but processing is only permitted until the
end of the period during which the bill may lawfully be challenged or payment pursued. Traffic data must be eliminated or made
anonymous when no longer needed for the transmission of the communication.
The storage of specific information and access to that information is only allowed on the condition that the subscriber or user has
provided his or her prior consent. The consent must be based on accurate, clear and comprehensive information, namely about
the type of data processed, the purposes and duration of the processing and the availability of data to third parties in order to
provide value added services.
Electronic communications operators may store traffic data only to the extent required and for the time necessary to market
electronic communications services or provide value added services. Prior express consent is required and such consent may be
withdrawn at any time.
Processing should be limited to those employees in charge of:
Billing or traffic management
Customer inquiries
Fraud detection
Marketing of electronic communications
Services accessible to the public
The provision of value added services
Notwithstanding the above, electronic communication operators should keep in an autonomous file all traffic and localization data
exclusively for the purpose of:
Investigation
Detection, or
Prosecution of criminal offenses on Information and Communication Technologies (ICT)
Location data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Angola 41 | | | www.dlapiperdataprotection.com
Location Data processing is only allowed if the data is made anonymous or to the extent and for the duration necessary for the
provision of value added services, provided prior express consent is obtained. In this case, prior complete and accurate
information must be provided on the type of data being processed, as well as the purposes and duration of processing and any
possibility of disclosure to third parties for the provision of value added services.
Electronic communication operators must ensure that data subjects have the opportunity to withdraw consent, or temporarily
refuse the processing of such data for each connection to the network or for each transmission of a communication, at any time.
The withdrawal mechanism must be provided through simple means, free of charge to the user. Processing should be limited to
those employees in charge of electronic communications services accessible to the public.
KEY CONTACTS
ACDA
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Joni Garcia
Associate
ACDA
T +244 926 61 25 25
j.garcia@adca-angola.com
Murillo Costa Sanches
Of Counsel
ACDA
T +244 926 61 25 25
m.sanches@adca-angola.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Argentina 42 | | | www.dlapiperdataprotection.com
ARGENTINA
Last modified 24 January 2022
LAW
Article 43 of the Federal Constitution, third paragraph, provides, in relevant part that any person may file an action to have access
to personal data about such person and to information about the purpose with which they are kept, included in public data
registries or banks, or in private data registries or banks, and to request the suppression, correction, confidentiality or updating of
the data where inaccurate or discriminatory.
These provisions do not create an express constitutional right to privacy or data protection, but do create the basic framework
for the protection of such right, as well as the foundation for the legislation, subsequently enacted, which regulates the details of
that protection.
Law 25,326 – the Personal Data Protection Law (PDPL) includes the basic personal data rules. It follows international standards,
and has been considered as granting adequate protection by the European Commission. Decree 1558 of 2001 includes regulations
issued under the PDPL. Further regulations have been issued by the relevant agencies.
DEFINITIONS
Definition of personal data
Personal data is defined as information of any type referred to individuals or legal entities, determined or which may be
determined.
Definition of sensitive personal data
Sensitive data includes personal data which reveal racial or ethnic origin, political opinions, religious, philosophical or moral
convictions, trade union affiliation and information related to health and sexual activities.
NATIONAL DATA PROTECTION AUTHORITY
Pursuant to Decree 746 of 2017, it is the Agency for Access to Public Information (Agencia de Acceso a la Información Pública).
REGISTRATION
All archives, registries, databases and data banks, whether public or private, having the purpose of supplying information, must be
registered with the Registry organized by the national data protection authority. This registration requires the following
information, to be provided to the registry:
The name and domicile of the person responsible for the archive, registry, database or data bank
The characteristics and purpose of the archive, registry, database or data bank
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Argentina 43 | | | www.dlapiperdataprotection.com
The nature of the personal data included or to be included in the archive, registry, database or data bank
The way in which data are collected and updated
The destination of the data and the identity of the individuals or legal entities to whom such data may be transferred
The way in which the recorded information is interrelated
The means to assure the security of the data, indicating the category of persons with access to the processing of data
The term during which the data will be preserved
The way and conditions pursuant to which interested persons may have access to the data referring to such persons, and
the procedures to be followed to rectify and update the registered data
DATA PROTECTION OFFICERS
Generally, there is no specific requirement to appoint a data protection officer. Under certain circumstances, in which special
security standards apply, it may be necessary to appoint an officer in charge of data security.
COLLECTION & PROCESSING
Personal data collected for purposes of processing must be truthful, adequate, relevant and not excessive in relation with the
scope and purpose for which they were obtained. The gathering of data shall not take place by unfair or fraudulent means or in an
otherwise illegal manner.
Personal data may not be used for purposes different from or incompatible with those for which the personal data was initially
collected. Personal data must be accurate and properly updated when necessary. Totally or partially inaccurate personal data, or
those that are incomplete, shall be suppressed and substituted, or completed where relevant, by the person responsible for the
archive or database, whenever such person becomes aware of the inaccurate or incomplete character of the information.
Consent from the data subject is required, which must be free, express and informed consent and in writing or in another
equivalent form, unless:
The personal data were obtained from sources open to unrestricted public access
The personal data were obtained as part of the performance of state duties or in compliance with a legal obligation
The personal data consists of lists whose data are limited to the name, national identity document number, tax or social
security identification, occupation, date of birth and domicile
The personal data are derived from a contractual, scientific or professional relationship and are necessary for such
relationship
The personal data result from operations conducted by financial entities with their clients or consist in the information
such financial entities receive from their clients pursuant to the Financial Entities Law
When the authorization for the collection and processing of data is requested, the data subject must be informed about the
purpose for which the data will be processed, as well as about the individuals or groups of individuals who will have access to the
processed information. In addition, the archive, registry or data bank where the information will be kept must be identified,
together with the person responsible for it. The data subject must be informed about the voluntary or compulsory nature of the
answers requested from such owner, as well as about the consequences of providing the personal data or of refusing to give such
information or of providing untruthful information. The data subject must also be informed about the right to access, rectify and
suppress the relevant data.
Special rules apply to sensitive data. No person may be required to disclose sensitive data. Sensitive data may only be collected
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Argentina 44 | | | www.dlapiperdataprotection.com
and processed where necessary, and with consent, as expressly permitted by law, or for statistical or scientific purposes provided
the person they refer to may not be identified.
Data related to criminal records may only be processed by the relevant public authorities.
TRANSFER
Transfers and disclosures to third parties
Personal data may only be transferred for legitimate purposes of the transferor and the transferee, and generally with the prior
consent of the data subject who must be informed of the transfer’s purpose and of the transferee’s identity. This consent may be
rescinded.
Consent is not required in the case of transfer of data regarding which consent was not necessary for collection. Also, it is not
necessary in the case of transfer of data between state agencies, for purposes of performance of their respective activities, on in
connection with health-related data, if the transfer is necessary for public health or emergency reasons, or for the performance of
epidemiological studies, provided the identity of the persons to whom such data refer is reserved by means of adequate
dissociation mechanism. In addition, consent is not necessary, for personal data generally, if an adequate dissociation mechanism is
used in a way such that the data subjects are not identifiable.
Cross-border transfers
The cross-border transfer of personal data is prohibited to countries or international or supranational organization which do not
provide adequate protection to such data, unless:
The data subjects expressly consents to that transfer
The transfer is necessary for international judicial cooperation
The transfer takes place as part of certain exchanges of medical data
Bank or stock exchange transfers, in the context banking or stock exchange transactions
The transfer takes place as provided in the context of international treaties to which Argentina is a party
The transfer has as its purpose the international cooperation between intelligence agencies engaged in combating
organized crime, terrorism and drug traffic
SECURITY
The person responsible for a data archive, or using such archive, must adopt the technical and organizational measures to assure
the security and confidentiality of personal data, so as to avoid their adulteration, loss, consultation or non-authorized processing,
and to detect the misuse of information. The recording of personal data in archives, registries or data banks that do not comply
with the legal requirements on integrity and security is prohibited.
BREACH NOTIFICATION
Not specifically required under data protection law.
Failure to notify a data security breach is not in itself a violation of the data protection regime, but may bear on the effects of
security violation, especially if lack of such notification results in other security breaches or damages. The person responsible for
the data must keep records on security breaches, and these records may be requested by the data protection authority.
Breach notification may be mandatory if the data protection authority specifically requests information about data breaches.
ENFORCEMENT
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Argentina 45 | | | www.dlapiperdataprotection.com
There are several enforcement mechanisms:
The data protection authority may enforce the legal provisions and regulations on data protection, imposing fines in case
of violation.
Violation of data protection rules may constitute a crime subject to prison terms imposed by criminal courts.
Court actions may be brought to have access to personal data and to request their correction, suppression, confidentiality
or updating.
ELECTRONIC MARKETING
Electronic marketing, to the extent that it may involve processing of personal data, is subject to the general rules applicable to
such data, such as valid data subject consent, adequate privacy notices as to use and disclosure of personal data and data subject
rights.
ONLINE PRIVACY
Although there are no detailed regulations on online privacy, the general rules on privacy provided by the Civil and Commercial
Code are applicable in this context. Nuisances from unrequested communications may be actionable. Unauthorized collection of
personal data will be subject to the general rules applicable to such data.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Guillermo Cabanellas
Senior Partner
T +5411 41145500
g.cabanellas@dlapiper.ar
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Armenia 46 | | | www.dlapiperdataprotection.com
ARMENIA
Last modified 21 December 2021
LAW
Personal Data Protection Law as of 18.05.2015, number .ՀՕ-49-Ն
DEFINITIONS
Definition of Personal Data
Personal Data is defined as any information related to an individual that allows or may allow directly or indirectly identifying a person.
Definition of Sensitive Personal Data
Special Category is define as any information related to a person’s
race
nationality or ethnicity
political views
religious or philosophical beliefs
membership in a professional union
health status, and
sexual life.
NATIONAL DATA PROTECTION AUTHORITY
Personal Data Protection Agency of the Ministry of Justice of the Republic of Armenia.
REGISTRATION
Registration is voluntarily unless otherwise specified by the authorised body.
DATA PROTECTION OFFICERS
No requirement to appoint a data protection officer.
COLLECTION & PROCESSING
By and large, the entities must obtain prior express consent from data subjects to lawfully collect and process personal
data The consent is not necessary in the cases directly provided by the legislation or if the data is being collected from
public sources.
The data subject may give his or her consent in person or through the representative, where the power of attorney
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Armenia 47 | | | www.dlapiperdataprotection.com
specifically provides for such a power.
The data subject’s consent shall be considered to be given and the processor shall have the right to process, where:
personal data are indicated in a document addressed to the processor and signed by the data subject, except for
the cases when the document, by its content, is an objection against processing of personal data;
the processor has obtained data on the basis of an agreement concluded with the data subject and uses it for the
purposes of operations prescribed by this Agreement;
the data subject, voluntarily, for use purposes, verbally transfers information on his or her personal data to the
processor.
Personal data may be processed without the data subject’s consent, where the processing of data is directly provided for
by law.
The processor of personal data or the authorised person, for obtaining the data subject’s written consent, shall notify the
data subject of the intention to process the data.
The data subject shall give his or her consent in writing or electronically, validated by electronic digital signature; in case of
an oral consent — by means of such reliable operations which will obviously attest the consent of the data subject on
using the personal data
Specific regulations regarding persons with incapacity or limited capacity and minor under the age of 16.
Specific regulations regarding biometric personal data.
TRANSFER
Transfer to third parties shall mean an operation aimed at transferring personal data to certain scope of persons or public at large
or at familiarising with them, including disclosure of personal data through the mass media, posting in information communication
networks or otherwise making personal data available to another person.
The processor may transfer personal data to third parties or grant access to data without the personal data subject’s consent,
where it is provided for by law and has an adequate level of protection.
The processor may transfer special category personal data to third parties or grant access to data without the personal data
subject’s consent, where:
the data processor is considered as a processor of special category personal data prescribed by law or an interstate
agreement, the transfer of such information is directly provided for by law and has an adequate level of protection;
in exceptional cases provided for by law special category personal data may be transferred for protecting life, health or
freedom of the data subject.
Personal data may be transferred to another country with the data subject’s consent or where the transfer of data stems from the
purposes of processing personal data and/or is necessary for the implementation of these purposes.
Personal data may be transferred to another state without the permission of the authorised body, where the given state ensures
an adequate level of protection of personal data.
SECURITY
The processor has an obligation to destruct or block personal data that are not necessary for achieving the legitimate purpose.
In the course of processing personal data the processor shall be obliged to use encryption keys to ensure the protection of
information systems containing personal data against accidental loss, unauthorised access to information system, unlawful use,
recording, destructing, altering, blocking, copying, and disseminating personal data and other interference.
The processor is obliged to prevent the access of appropriate technologies for processing personal data for persons not having a
right thereto and ensure that only data, subject to processing by him or her, are accessed by the lawful user of these systems and
the data which are allowed to be used.
The requirements for ensuring security of processing of personal data in information systems, the requirements for tangible media
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Armenia 48 | | | www.dlapiperdataprotection.com
of biometric personal data and technologies for storage of these personal data out of information systems shall be prescribed by
the decision of the government of the Republic of Armenia. In case another body exercising control is prescribed by law, this
body, within the scope of powers reserved to it by law, may prescribe higher requirements other than provided above.
Use and storage of biometric personal data out of information systems may be carried out only through such tangible media,
application of such technologies or forms, which ensure the protection of these data from the unauthorised access thereof,
unlawful use, destruction, alteration, blocking, copying, dissemination of the personal data, etc.
Processors of personal data or other persons provided for by this law shall be obliged to maintain confidentiality both in the
course of performing official or employment duties concerning the processing of personal data and after completing thereof.
BREACH NOTIFICATION
In case unlawful operations performed upon personal data are revealed, the processor shall be obliged to immediately, but not
later than within three working days eliminate the committed violations. In case it is impossible to eliminate the violations, the
processor shall be obliged to immediately destruct personal data.
The processor shall be obliged to inform the data subject or his or her representative on the elimination of violations or the
destruction of personal data within three working days, and where the request is received from the authorised body for the
protection of personal data — also this body.
Mandatory breach notification
In case of outflow of personal data from electronic systems the processor shall be obliged to immediately publish an
announcement thereon, meanwhile reporting on the outflow the Police of the Republic of Armenia and authorised body for the
protection of personal data.
ENFORCEMENT
Authorised body for the protection of personal data is entitled to:
check, on its initiative or on the basis of an appropriate application, the compliance of the processing of personal data with
the requirements of this Law;
apply administrative sanctions prescribed by law in the case of violation of the requirements of this Law;
require blocking, suspending or terminating the processing of personal data violating the requirements of this Law;
require from the processor rectification, modification, blocking or destruction of personal data where grounds provided
for by this Law exist;
prohibit completely or partially the processing of personal data as a result of examination of the notification of the
processor on processing personal data;
keep a register of processors of personal data;
recognise electronic systems for processing of personal data of legal persons as having an adequate level of protection and
include them in the register;
check the devices and documents, including the existing data and computer software used for processing data;
apply to court in cases provided for by law;
exercise other powers prescribed by law;
maintain the confidentiality of personal data entrusted or known to it in the course of its activities;
ensure the protection of rights of the data subject;
consider applications of natural persons regarding the processing of personal data and deliver decisions within the scope
of its powers;
submit, once a year, a public report on the current situation in the field of personal data protection and on the activities of
the previous year;
conduct researches and provide advice on processing data on the basis of applications or coverages of processors or
inform on best practices on processing of personal data;
report to law enforcement bodies where doubts arise with regard to violations of criminal law nature in the course of its
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Armenia 49 | | | www.dlapiperdataprotection.com
activities.
ELECTRONIC MARKETING
There is no regulation. However, it is advisable to obtain user consent, such as through appropriate disclaimers.
ONLINE PRIVACY
There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate
disclaimers.
KEY CONTACTS
LEGELATA Law Firm
legelata.am/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Arthur Buduryan
Partner
LEGELATA Law Firm
T +37495993696
arthur.buduryan@legelata.am
Artyom Poghosyan
Associate
LEGELATA Law Firm
T +37495992636
artyom.poghosyan@legelata.am
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Aruba 50 | | | www.dlapiperdataprotection.com
ARUBA
Last modified 21 December 2021
LAW
National Ordinance Person Registration ( , National Gazette 2011, ConsolidatedLandsverordening persoonsregistratie
text no. 37) (“National Ordinance Person Registration”);
General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on
May 25, 2018 – may have implications for a data controller / data processor as the extra-territorial reach of the GDPR is
not only relevant to businesses established in the European Union but also to international businesses established in Aruba
which offer goods or services to individuals in the European Union or monitor their behaviour in the European Union.
DEFINITIONS
Definition of Personal Data
National Ordinance Person Registration
According to the Explanatory Memorandum on the National Ordinance Person Registration the term personal data has a broad
meaning. This does not only concern data that can identify a person, but concerns any data that can be associated with a particular
person; it is foreseeable that under certain circumstances data can be traced to one person through systematic comparison and
lengthy investigations. Personal identifiable confidential data is therefore not only limited to home address, email address,
telephone number, membership number and/or identity number.
GDPR
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one
who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
Definition of Sensitive Personal Data
National Ordinance Person Registration
Religion or belief, race, political opinion, sexuality, as well as personal data of a medical, psychological or disciplinary nature, and
personal data concerning the trade union membership.
GDPR
Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic
data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Aruba 51 | | | www.dlapiperdataprotection.com
NATIONAL DATA PROTECTION AUTHORITY
National Ordinance Person Registration
Public prosecutor.
GDPR
An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The
authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of
natural persons in relation to processing and to facilitate the free flow of personal data within the EU.
REGISTRATION
National Ordinance Person Registration
No registration required.
GDPR
Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data
processing activities carried out by the company.
DATA PROTECTION OFFICERS
National Ordinance Person Registration
Pursuant to article 8 of the National Ordinance Person the data controller shall execute appropriate technical and organizational
measures to secure personal data against loss or violation of the data against unauthorized access, change or transmission thereof.
Besides the measures above, the National Ordinance Person Registration does not contain any clauses on appointing a mandatory
data protection officer.
GDPR
The appointment of a data protection officer under the GDPR is only mandatory in three situations:
When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal
convictions.
COLLECTION & PROCESSING
National Ordinance Person Registration
Collection: a natural or legal person, public authority, agency or other body which who has control over a person registration.
Processor: a natural or legal person, public authority, agency or other body which who owns all or part of the has equipment in
his possession, with which a personal registration of which he is not the holder.
GDPR
Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain
purposes, like a website that markets to users based on their online behaviour.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Aruba 52 | | | www.dlapiperdataprotection.com
controller. Processors act on behalf of the relevant controller and under their authority.
TRANSFER
National Ordinance Person Registration
By means of article 9 of the National Ordinance Person Registration, recorded data will only be made available to third parties in
accordance with the purpose of the register and if obligated by law or done with the consent of the registered persons.
GDPR
The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the
rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions
applies.
SECURITY
National Ordinance Person Registration
Pursuant to article 8 of the of the National Ordinance person Registration the data controller shall execute appropriate technical
and organizational measures to secure personal data against loss or violation of the data against unauthorized access, change or
transmission thereof.
GDPR
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as
well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor
shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32
GDPR).
BREACH NOTIFICATION
National Ordinance Person Registration
Contains no specific clauses.
GDPR
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after
having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55
GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
ENFORCEMENT
National Ordinance Person Registration
Pursuant to article 20 of the National Ordinance person registration, the individual violating the provisions of the national
ordinance person registration can be punished with a maximum fine of Afl.10.000. (USD. 5586.59).
GDPR
The GDPR holds a variety of potential penalties for businesses.
For example, article 77 of GDPR states that:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Aruba 53 | | | www.dlapiperdataprotection.com
“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her
habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data
relating him or her infringes this Regulation.”
Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the
data subject has his or her habitual residence.”
Penalties
Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in article 82 of the Regulation,
for the damage they’ve“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation”
suffered.
Fines
Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the
level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur
administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is
greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover).
Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional
penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only
guidelines in article 84 of GDPR are that “ and that “Such penalties shall be effective, proportionate and dissuasive” Each Member State
shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”
ELECTRONIC MARKETING
National Ordinance Person Registration
N/A
GDPR
Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.
Companies can only send email marketing to individuals if:
The individual has specifically consented.
They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.
ONLINE PRIVACY
National Ordinance Person Registration
Contains no specific clauses.
GDPR
Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do
have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.
Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a
person.
If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is
processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from
others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Aruba 54 | | | www.dlapiperdataprotection.com
etc. are not known.
KEY CONTACTS
HBN Law & Tax
hbnlawtax.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Maarten Willems
Senior Associate
HBN Law & Tax
T +297 588 6060
maarten.willems@hbnlawtax.com
Misha Bemer
Partner
HBN Law & Tax
T +297 588 6060
misha.bemer@hbnlawtax.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 55 | | | www.dlapiperdataprotection.com
AUSTRALIA
Last modified 23 December 2021
LAW
Australia regulates data privacy and protection through a mix of federal, state and territory laws. The federal Privacy Act 1988
(Cth) (Privacy Act) and the Australian Privacy Principles contained in the Privacy Act apply to private sector entities(“APPs”)
(including body corporates, partnerships, trusts and unincorporated associations) with an annual turnover of at least AU$3 million,
and all Commonwealth Government and Australian Capital Territory Government agencies.
The Privacy Act regulates the handling of personal information by relevant entities and under the Privacy Act, the Privacy
Commissioner has authority to conduct investigations, including own motion investigations, to enforce the Privacy Act and seek
civil penalties for serious and egregious breaches or for repeated breaches of the APPs where an entity has failed to implement
remedial efforts.
Most States and Territories in Australia (except Western Australia and South Australia) have their own data protection legislation
applicable to relevant State or Territory government agencies, and private businesses that interact with State and Territory
government agencies. These Acts include:
(Australian Capital Territory)Information Privacy Act 2014
Information Act 2002 (Northern Territory)
Privacy and Personal Information Protection Act 1998 (New South Wales)
Information Privacy Act 2009 (Queensland)
Personal Information Protection Act 2004 (Tasmania), and
Privacy and Data Protection Act 2014 (Victoria)
Additionally, there are other parts of State, Territory and federal legislation that relate to data protection. For example, the
following all impact privacy and data protection for specific types of data or activities: the (Cth), the Telecommunications Act 1997
(Cth), the (Cth), the (NSW), the Criminal Code Act 1995 National Health Act 1953 Health Records and Information Privacy Act 2002
(Vic) and the (NSW).Health Records Act 2001 Workplace Surveillance Act 2005
Specific regulators have also expressed an expectation that regulated entities should have specified data protection practices in
place. For example, the Australian Prudential and Regulatory Authority (“ ”), which regulates financial services institutionsAPRA
requires regulated entities to comply with Prudential Standards, including Prudential Standard CPS 234 Information Security (CPS
234), and the Australian Securities and Investment Commission regulates corporations more generally.
Other important privacy and data protection laws
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 56 | | | www.dlapiperdataprotection.com
Assistance and Access Act
The (“ ”) provides lawTelecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 (Cth) AA Act
enforcement agencies with access to encrypted data for serious crime investigation and imposes obligations on “Designated
Communications Providers”. However, the AA Act may inadvertently have a much broader remit with limited judicial oversight,
and has been the subject of much criticism from local and global technology firms which have stated the legislation has the
potential to significantly impact security / encryption solutions in Australia.
The AA Act allows various agencies to do any of the following:
Issue a “technical assistance notice”, which requires a communications provider to give assistance that is reasonable,
proportionate, practicable and technically feasible
Issue a “technical capability notice”, which requires a communications provider to build new capabilities to assist the
agency. The Attorney-General must consult with the communications provider prior to issuing the notice, and must be
satisfied that the notice is reasonable, proportionate, practicable and technically feasible
Make “technical assistance requests”, to give foreign and domestic communications providers and device manufacturers a
legal basis to provide voluntary assistance to various Australian intelligence organizations and interception agencies relating
to issues of national interest, national security and law enforcement
Organizations will need to ensure customer terms and conditions deal carefully with the matter of legal compliance and any
commitments made to customers generally.
Consumer Data Right
The Commonwealth Government is in the implementation phases of the Consumer Data Right (“ ”) following a number ofCDR
policy reviews including the Productivity Commission’s “Data Availability and Use” report and the “Review into Open Banking in
Australia”.
The CDR allows a consumer to obtain certain data held about that consumer by a third party and require data to be given to
accredited third parties for certain purposes. By requiring businesses to provide public access to information on specified products
they have on offer, it is intended that consumers’ ability to compare and switch between products and services will be improved,
as well as encouraging competition between service providers, which could lead to better prices for customers and more
innovative products and services. In this way, the CDR provides a mechanism for accessing a broader range of information within
designated sectors than is provided for by APP 12 in the Privacy Act, given it applies not only to data about individual consumers
but also to business consumers and related products.
The CDR rules have been implemented in respect of the banking sector in Australia. The energy sector is the next to be added to
the CDR, with the telecommunications sector currently scheduled to follow. Other sectors across the economy will be added to
the CDR over time.
The CDR regime addresses competition, consumer, privacy and confidentiality issues. As such, it is regulated by the Australian
Competition and Consumer Commission as well as the Office of the Australian Information Commissioner.
DEFINITIONS
Definition of personal data
Personal data (referred to as ‘personal information’ in Australia) means information or an opinion about an identified individual, or
an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or
opinion is recorded in material form or not.
The Privacy Act currently contains an exemption for “employee records”, such that any records containing personal information
which an employer makes in connection with a current or former employment relationship are exempt from the Privacy Act.
However there are some further carve outs to this (for example, the exemption does not apply to contractors or unsuccessful
applicants), and it is widely anticipated that the employee records exemption will be removed from the Privacy Act as a result of
the ongoing review of the Privacy Act (see ).Enforcement
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/australia/enforcement.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 57 | | | www.dlapiperdataprotection.com
Definition of sensitive personal data
Sensitive personal data (referred to as ‘sensitive information’ in Australia) means information or an opinion about:
Racial or ethnic origin
Political opinions
Membership of a political association
Religious beliefs or affiliations
Philosophical beliefs
Membership of a professional or trade association
Membership of a trade union
Sexual orientation or practices
Criminal record that is also personal information
Health information about an individual
Genetic information about an individual that is not otherwise health information
Biometric information that is to be used for the purpose of automated biometric identification or verification
Biometric templates
NATIONAL DATA PROTECTION AUTHORITY
The Privacy Commissioner, under the Office of the Australian Information Commissioner (” “) is the national dataOAIC
protection regulator responsible for Privacy Act oversight.
175 Pitt Street Sydney NSW 2000
T 1300 363 992
F +61 2 9284 9666
REGISTRATION
There is no registration requirement in Australia for data controllers or data processing activities. Under the Privacy Act,
organizations are not required to notify the Privacy Commissioner of any processing of personal information.
DATA PROTECTION OFFICERS
Organizations are not required to appoint a data protection officer. However, the Privacy Commissioner has issued guidance
recommending that organizations appoint a data protection officer as good practice.
COLLECTION & PROCESSING
Organizations may not collect personal information unless the information is reasonably necessary for one or more of its business
functions or activities.
Under the Privacy Act, organizations must take reasonable steps to ensure that personal information collected is accurate and
up-to-date.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 58 | | | www.dlapiperdataprotection.com
At or before the time organizations collect personal information, or as soon as practicable afterwards, they must take reasonable
steps to provide individuals with notice of:
The Organization’s identity and contact information
Why it is collecting (or how it will use the) information about the individual
The entities or types of entities to which it might give the personal information
Any law requiring the collection of personal information
The main consequences (if any) for the individual if all or part of the information is not provided
The fact that the organization’s privacy policy contains information about how the individual may access and seek
correction of their personal information, how they may make a complaint about a breach of the APPs and how the
organization will deal with such complaint
Whether the organization is likely to disclose their personal information to overseas recipients and, if so, the countries in
which such recipients are likely to be located
Organizations should comply with these notification requirements by preparing a “collection statement” or “privacy notice” for
each significant collection of personal information, and providing this to individuals prior to collecting their personal information.
This notification requirement applies in addition to the requirement for organisations to maintain a broader privacy policy, which
details the general personal information handling processes of the organisation. APP 1 lists the information which is required to be
included in a privacy policy.
In practice, a major Privacy Act compliance issue often arises because organizations fail to recognize that the mandatory notice
requirements outlined above also apply to any personal information collected from a third party. Organizations must provide
individuals with required notice on receipt of personal information from a third party, even though they did not collect personal
information directly from the individual. Unlike Europe, Australian privacy law does not distinguish between ‘data processors’ and
‘data controllers.’
Organizations must not use or disclose personal information about an individual unless one or more of the following applies:
The personal information was collected for that purpose (the primary purpose) or a different (secondary) purpose which
is related to (and, in the case of sensitive information, directly related to) the primary purpose of collection and the
individual would reasonably expect the organization to use or disclose the information for that secondary purpose.
The individual consents.
The information is not sensitive information and disclosure is for direct marketing and it is impracticable to seek the
individual’s consent and (among other things) the individual is told that they can opt out of receiving marketing from the
organization.
A ‘permitted general situation’ or ‘permitted health situation’ exists; for example, the entity has reason to suspect that
unlawful activity relating to the entity’s functions has been engaged in, or there is a serious threat to the health and safety
of an individual or the public.
It is required or authorized by law or on behalf of an enforcement agency.
In the case of use and disclosure for the purpose of direct marketing, organizations are required to ensure that:
Each direct marketing communication provides a simple means by which the individual can opt out
The individual has not previously requested to opt out of receiving direct marketing communications
The above direct marketing requirements apply to all forms of direct marketing. Additionally, specific requirements for
commercial electronic messaging are outlined in .Electronic Marketing
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/australia/electronic-marketing.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 59 | | | www.dlapiperdataprotection.com
The Privacy Act affords additional protections when processing involves sensitive information. Organizations are prohibited from
collecting sensitive information from an individual unless certain limited requirements are met, including one or more of the
following:
The individual has consented to the collection and the collection of the sensitive information is reasonably necessary for
one or more of the entity’s functions or activities.
Collection is required or authorized by law or a court/tribunal order.
A ‘permitted general situation’ or ‘permitted health situation’ exists (for example, where the information is required to
establish or defend a legal or equitable claim or there is a serious threat to the life or health of the individual or the
public).
The entity is an enforcement body and the collection is reasonably necessary for that entity’s functions or activities.
The entity is a nonprofit organization and the information relates to the activities of the organization and solely to the
members of the organization (or to individuals who have regular contact with the organization relating to its activities).
Organizations must provide individuals with access to their personal information held by the organization upon an individual’s
request. Additionally, individuals have a right to correct inaccurate, out-of-date, and irrelevant personal information held by an
organization. Under certain circumstances, the organization may limit the extent to which it provides an individual with access or
correction rights, including in emergency situations, specified business imperatives, and law enforcement or other public interests.
Further, organizations must provide individuals with the option to not identify themselves, or use a pseudonym, when dealing with
the organization, unless it is impractical to do so or the organization is required or authorized by law to deal with identified
individuals.
TRANSFER
Unless certain limited exemptions under the Privacy Act apply, personal information may only be disclosed to an organization
outside of Australia where the entity has taken reasonable steps to ensure that the overseas recipient does not breach the APPs
(other than APP 1) in relation to the personal information. The disclosing / transferring entity will generally remain liable for any
act(s) done or omissions by that overseas recipient that would, if done by the disclosing organization in Australia, constitute a
breach of the APPs. However, this provision will not apply where any of the following apply:
The organization reasonably believes that the recipient of the information is subject to a law or binding scheme which
effectively provides for a level of protection that is at least substantially similar to the Privacy Act, including as to access to
mechanisms by the individual to take action to enforce the protections of that law or binding scheme. There can be no
reliance on contractual provisions requiring the overseas entity to comply with the APPs to avoid ongoing liability
(although the use of appropriate contractual provisions is a step towards ensuring compliance with the ‘reasonable steps’
requirement).
The individual consents to the transfer. However, under the Privacy Act the organization must, prior to receiving consent,
expressly inform the individual that if he or she consents to the overseas disclosure of the information the organization
will not be required to take reasonable steps to ensure the overseas recipient does not breach the APPs.
A ‘permitted general situation’ applies.
The disclosure is required or authorized by law or a court/tribunal order.
SECURITY
An organization must have appropriate security measures in place (ie, ‘take reasonable steps) to protect any personal information
it retains from misuse and loss and from unauthorized access, modification or disclosure. The Privacy Commissioner has issued
detailed guidance on what it considers to be reasonable steps in the context of security of personal information, which we
recommend be reviewed and implemented. Depending on the organization, and how and by which government agency it is
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 60 | | | www.dlapiperdataprotection.com
regulated, as noted above specific requirements or expectations may also exist and with which organizations should be familiar. An
organization must also take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed
for the purpose(s) for which it was collected.
BREACH NOTIFICATION
Entities with obligations to comply with the Privacy Act must comply with the mandatory data breach notification regime under
the Privacy Act.
The mandatory data breach notification includes data breaches that relate to:
Personal information
Credit reporting information
Credit eligibility information
Tax file numbers
In summary, the regime requires organizations to notify the OAIC and affected individuals of “eligible data breaches” (in
accordance with the required contents of a notice). Where it is not practicable to notify the affected individuals individually, an
organization that has suffered an eligible data breach must make a public statement on its website containing certain information as
required under the Privacy Act, and take reasonable steps to publicise the contents of the statement.
An “eligible data breach” occurs when the following conditions are satisfied in relation to personal information, credit reporting
information, credit eligibility information or tax file information:
All of the following conditions are satisfied:
There is unauthorized access to, or unauthorized disclosure of, or loss of the information
A reasonable person would conclude that the access or disclosure, or loss would be likely to result in serious
harm to any of the individuals to which the information relates
Prevention of the risk of serious harm through remedial action has not been successful
While “serious” harm is not defined in the legislation, the OAIC has released guidance on how serious harm may be interpreted
and assessed by organizations. There are a number of key criteria to examine when determining if “serious” harm is likely to result
from a breach which should be assessed holistically and take into account: the kinds of information, sensitivity, security measures
protecting the information, the nature of the harm ( , physical, psychological, emotional, financial or reputational harm) and theie
kind(s) of person(s) who may obtain the information.
The regime also imposes obligations on organizations to assess within 30 calendar days whether an eligible data breach has
occurred where the organization suspects (on reasonable grounds) that an eligible data breach has occurred, but that suspicion
does not amount to reasonable grounds to believe that an eligible data breach has occurred.
There are various exceptions to the requirement to notify affected individuals and/or the OAIC of a data breach notification
including in instances where law enforcement related activities are being carried out or where there is a written declaration by the
Privacy Commissioner.
The introduction of the regime has resulted in many organizations requiring detailed contractual obligations with third party
suppliers in relation to cybersecurity and the protection of personal information of their customers / clients. Complimenting this
regime, the OAIC has also released several guidance notes relating to the regime which include topics such as the security of
personal information and whilst these are not legally binding, they are considered industry best practice.
Further, organizations may have additional obligations to notify other regulators of data breaches in certain circumstances
including under the Prudential Standard CPS 234 Information Security (” “) which aims to strengthen APRA-regulatedCPS 234
entities’ resilience against information security incidents (including cyberattacks), and their ability to respond swiftly and effectively
in the event of a breach. CPS 234 applies to all APRA-regulated entities who among other things, are required to notify APRA
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 61 | | | www.dlapiperdataprotection.com
within 72 hours “after becoming aware” of an information security incident and no later than 10 business days after “it becomes
aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely
manner”.
ENFORCEMENT
The Privacy Commissioner is responsible for the enforcement of the Privacy Act and will investigate an act or practice if the act or
practice may be an interference with the privacy of an individual and a complaint about the act or practice has been made.
Generally, the Privacy Commissioner prefers mediated outcomes between the complainant and the relevant organization.
Importantly, where the Privacy Commissioner undertakes an investigation of a complaint which is not settled, it is required to
ensure that the results of that investigation are publicly available. Currently, this is undertaken by disclosure through the OAIC
website of the entire investigation report.
The Privacy Commissioner may also investigate any “interferences with the privacy of an individual” (ie, any breaches of the APPs)
on its own initiative (ie, where no complaint has been made) and the same remedies as below are available.
After investigating a complaint, the Privacy Commissioner may dismiss the complaint or find the complaint substantiated and make
declarations that the organization rectify its conduct or that the organization redress any loss or damage suffered by the
complainant (which can include non-pecuniary loss such as awards for stress and/or humiliation). Furthermore, fines of up to
AU$440,000 for an individual and AU$2.2 million for corporations may be requested by the Privacy Commissioner and imposed
by the Courts for serious or repeated interferences with the privacy of individuals.
Following the release of the Australian Competition and Consumer Commission’s Digital Platforms Inquiry report in December
2019, the Australian Government accepted the need for proposed reforms to the Privacy Act. A draft bill has been published
which would increase penalties under the Privacy Act to the greater of: AU$ 10 million, three times the value of the benefit
obtained through the misconduct, or 10% of annual turnover (as well as introducing the framework for a binding online privacy
code for social media and certain other online platforms including data brokerage services and platforms with more than 2,500,000
end users in Australia (excluding customer loyalty schemes). If these changes proceed, they would bring penalties for corporations
in line with those already in force under the Competition and Consumer Act 2010 (Cth) for breaches of the Australian Consumer
Law. As well as the current prosed changes, a broader review of the Privacy Act is currently being undertaken by the Australian
Government, in accordance with the published terms of reference.
ELECTRONIC MARKETING
The sending of electronic marketing (referred to as ‘commercial electronic messages’ in Australia) is regulated under the Spam Act
(“ ”) and enforced by the Australian Communications and Media Authority.2003 (Cth) Spam Act
Under the Spam Act, a commercial electronic message (which includes emails and SMS’s sent for marketing purposes) must not be
sent without the prior opt-in consent of the recipient.
In addition, each electronic message (which the recipient has consented to receive) must identify the sender and contain a
functional unsubscribe facility to enable the recipient to opt out of receiving future electronic marketing. Requests to unsubscribe
must be processed within 5 business days.
A failure to comply with the Spam Act (including unsubscribing a recipient that uses the unsubscribe facility) may have costly
consequences, with repeat offenders facing penalties of up to AU$2.1 million per day.
ONLINE PRIVACY
There are no laws or regulations in Australia specifically relating to online privacy, beyond the application of the Privacy Act, the
Spam Act and State and Territory privacy laws relating to online / e-privacy, and other specific laws regarding the collection of
location and traffic data etc. Specifically, the are no specific legal requirements regarding the use of cookies (or any similar
technologies). If the cookies or other similar technologies collect personal information of a user the organization must comply
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Australia 62 | | | www.dlapiperdataprotection.com
with the Privacy Act in respect of collection, use, disclosure and storage of such personal information. App developers must also
ensure that the collection of customers’ personal information complies with the Privacy Act and the Privacy Commissioner has
released detailed guidance on this.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Nicholas Boyle
Partner
T +61 2 9286 8479
nicholas.boyle@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 63 | | | www.dlapiperdataprotection.com
AUSTRIA
Last modified 21 February 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
In Austria, the laws concerning the implementation of the GDPR have been adopted gradually. In summer 2017, the
existing Data Protection Act 2000 ( ) was amended by the Data Protection Amendment Act 2018 (Datenschutzgesetz 2000
) which constituted the first implementation of various regulations related to GDPR,Datenschutz-Anpassungsgesetz 2018
and was intended to enter into force simultaneously with GDPR. The ‘Data Protection Act’ ( hasDatenschutzgesetz, DSG)
considerably amended the Data Protection Act 2000. In addition to the GDPR, it is now the central piece of legislation in
Austria regulating data privacy.
The Privacy Deregulation Act 2018 ( ) further amended the DSG. The DSG, asDatenschutz-Deregulierungs-Gesetz 2018
amended by the Privacy Deregulation Act 2018, came into force on May 25, 2018 and is now the applicable regulation in
Austria. The DSG also includes the implementation of the Directive (EU) 2016/680.
In addition to the DSG, further amendments to other statutory laws were adopted in order to implement the GDPR
(mostly to adapt to the terminology of the GDPR). These amendments were included in the General Data Protection
Adjustment Act ( ) and the research-sector specific Data ProtectionMaterien-Datenschutz-Anpassungsgesetz 2018
Adjustment Act – Science and Research (Datenschutz- Anpassungsgesetz 2018 – Wissenschaft und Forschung – WFDSAG
). Further amendments in other laws have been made by the Second General Data Protection Adjustment Act, which2018
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 64 | | | www.dlapiperdataprotection.com
was passed in June 2018 and applies retroactively. Finally, ordinances were also passed regulating respectively the cases
where a data privacy impact assessment is obligatory (the Obligatory DPIA Ordinance – ) and the exemptions fromDSFA-V
the obligation to conduct a data privacy impact assessment (the DPIA Exemptions Ordinance – DSFA-AV).
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly referred to in Recital 30, with IP addresses, cookies and RFID tags listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR concerns the ” ” of personal data. Processing has a broad meaning, and includes any set of operationsprocessing
performed on data, including mere storage, hosting, consultation or deletion.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to former legislation, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The DSG does not include any additional definitions or derogations to the GDPR. However, Section 1 DSG, which
provides a constitutional (human) right to data privacy, does not use the definition of “data subject” of the GDPR, but
rather uses the term “everyone” which is currently interpreted to include legal entities and other organizations too.
Consequently, the constitutional (human) right to data privacy, as well as some basic data subject rights, as regulated in
Section 1 DSG, also apply to legal entities and other organizations.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is conducted by data protection regulators, known as supervisory authorities (for example, the Cnil in
France or the ICO in the UK). The European Data Protection Board (successor of the so-called Article 29 Working Party) is
comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR establishes the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a singleie,
establishment of a controller or processor but affecting data subjects in multiple Member States), the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 65 | | | www.dlapiperdataprotection.com
The Austrian Data Protection Authority ( ) can be contacted as follows:Österreichische Datenschutzbehörde
Österreichische Datenschutzbehörde
Barichgasse 40-42 1030 Vienna
Austria / Europe
Phone number: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at
If possible, the Austrian Data Protection Authority prefers to communicate via email.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if one of the following conditions are met:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 66 | | | www.dlapiperdataprotection.com
to cooperate and act as point of contact with the supervisory authority.
The DSG contains in its Section 5 some additional regulation in respect to the rights and obligations of the DPO.
Thereunder, the DPO and all persons working for the DPO are obliged to retain confidentiality regarding the identity of
the persons that have approached the data protection officer as well as regarding all the circumstances that could reveal
the identity of such persons.
Under certain circumstances, the DPO and their assistant personnel have the right to refuse testimony regarding the data
obtained in their capacity as data protection officer, if a person employed in a position subject to the data protection
officer’s supervision is entitled to such right and to the extent that person has exercised such right. All files and other
documents of the data protection officer which are subject to this statutory right to remain silent in the aforementioned
extent cannot be lawfully seized.
Further regulations in Section 5 concern the DPOs of public organizations.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core principle of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance, potentially for years after a particular decision regarding processing of personal data. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 67 | | | www.dlapiperdataprotection.com
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce national legislation regarding processing of genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by national legislation (Article 10).
Section 4 Para 3 DSG regulates the processing of data regarding actions punishable under criminal or administrative law,
criminal convictions or suspected criminal actions.
Processing must (i) be based on an explicit legal authorization or obligation to process such data or (ii) be justified by a
statutory duty of care or legitimate interests pursuant to Article 6 (1) lit f GDPR, and be carried out in a manner ensuring
to protect the data subjects interests set out in the GDPR and the DSG.
For example, legitimate interest may be established in recruitment processes for trustworthy personnel.
Processing for a Secondary Purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 68 | | | www.dlapiperdataprotection.com
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 69 | | | www.dlapiperdataprotection.com
a.
b.
c.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognised by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The Austrian DSG imposes further obligations upon controllers and processors. Pursuant to Section 6, all employees,
agents or contractors of a controller or a processor who have access to personal data must be contractually obliged to
transfer personal data only after receiving an adequate and documented instruction by their employer (confidentiality
obligation). All employees, agents or contractors of a controller or a processor must be subject to confidentiality
undertakings or professional or statutory obligations of confidentiality. Measures must be taken to ensure that all
employees, agents or contractors of a controller or a processor are bound by the aforementioned undertakings and/or
obligations of confidentiality even after the termination of their respective contract, regardless of the cause or form
thereof.
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 70 | | | www.dlapiperdataprotection.com
CCTV, or rather more broadly processing of images made in public or private spaces, including related sound recordings,
are subject to further regulation and requirements pursuant to Sections 12 and 13 DSG. This provision provides
limitations regarding the lawfulness of such processing as compared to Art 6 GDPR, as processing of image data is only
permissible in the following cases:
processing is necessary in order to protect the vital interests of the data subject
the data subject has given their consent
the processing is required or permitted by specific statutory law, or
the interests of the data controller override the interests of the data subjects in the specific case, and the
processing is proportionate
Overriding legitimate interests are assumed by the law in some cases listed as examples, such as preventive protection of
property or persons on private properties or publicly accessible spaces controller by the data controller.
The capturing of images / CCTV is always prohibited in the following cases:
processing of images capturing persons in their personal area of life without their express consent
processing of CCTV images for the purpose of employee monitoring
the automated comparison of personal data obtained by means of capturing images / CCTV without explicit
consent and for the creation of personality profiles with other personal data, or
the evaluation of personal data obtained by means of image capturing on the basis of special categories of personal
data (Art. 9 GDPR) as a selection criterion
In early 2020, the Austrian Data Protection Authority has published a non-binding opinion, referring to two decisions of
the Federal Administrative Court, and stating that Sections 12 and 13 DSG are not in line with the GDPR and shall
therefore no longer be applied. The Authority shall assess CCTV data processings exclusively on the basis of the GDPR.
However, the contents of the Sections 12 and 13 DSG are still practically used as criteria for assessment of the lawfulness
of the processing.
Other additional regulations for processing of data include:
regulation relating to processing for archiving purposes in the public interest, scientific or historical research
purposes or statistical purposes (Section 7), which allows processing of such data if they are publicly accessible,
have been collected lawfully for other research purposes or other lawful purposes, or are pseudonymized; other
data may only be processed to the extent there are specific statutory regulations, the data subjects have given
their consent or the Data Protection Authority has approved the processing
further regulation regarding the processing of data for purposes pursuant to Art 89(1) GDPR, most notably for
research purposes, included in the Act on Research Organisation ( FOG); thisForschungsorganisationsgesetz –
regulation includes provisions which lessen to some extent the requirements for processing of special categories
of data, including in particular the concept of “broad consent”, and limit the rights of data subjects in this respect
regulation relating to the processing of addresses for informing or sending questionnaires to data subjects (Section
8), which in principle requires consent for such processing, but also provides some derogations
regulation regarding data processing in cases of catastrophes (Section 10)
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 71 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
a.
b.
c.
d.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes among others binding corporate rules and standard contractual clauses. The GDPR has removed
the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of
standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defense of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident, and
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing
Section 13 DSG imposes further obligations on Controllers in regard to CCTV and / or processing of captured images
pursuant to Section 12 DSG. The controller needs to secure the access to the CCTV / captured images in a way that
makes any access and / or subsequent alteration of captured images by an unauthorized third party impossible.
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 72 | | | www.dlapiperdataprotection.com
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, they are required to notify the controller without undue delay upon
becoming aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. The Treaty does not
define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the specific facts of
each case. However, in many competition cases, group companies have been regarded as part of the same undertaking. Under EU
case-law regarding competition, there is also precedent for regulators to impose joint and several liability on parent companies for
fines imposed on those subsidiaries in some circumstances (broadly where there is participation or control), so-called “look
through” liability. It is not yet clear whether this will translate directly to GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 73 | | | www.dlapiperdataprotection.com
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy broad investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR provides for specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” because of a breach of the GDPR has the right to receive
compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means that
individuals will be able to claim compensation for distress even where they are not able to prove financial loss. These
claims can be made at any competent court.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Furthermore, individuals may lodge a complaint to a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
In Austria, the Austrian Data Protection Authority is responsible for the enforcement of the GDPR. Pursuant to Section
11 DSG, the Austrian Data Protection Authority is obliged to impose administrative fines pursuant to the Article 83
GDPR in an adequate way. The Authority should in particular also apply the measures pursuant to Art 58 GDPR in case of
first time breaches, in particular the possibility to issue warnings instead of imposing fines.
The fines under the GDPR are imposed under Austrian administrative criminal law. The Austrian administrative criminal
law in general does not allow authorities to impose fines against a legal entity, but provides only for the liability of natural
persons; in cases where violations are committed by a legal entity, the liable persons are either statutory representatives
(directors) or persons appointed as responsible persons for adherence with specific administrative laws. However, the
DSG provides a possibility to impose fines against legal entities, in the following cases:
A violation of GDPR or DSG is committed by a natural person who has power (1) to represent the legal entity or
to make decisions on behalf of the legal entity; or (2) has supervisory powers in the legal entity and has
committed this offence either alone or as a part of an organ of the legal entity ( management board)eg,
An employee of the legal entity violates the provisions of GDPR or DSG and the violation was possible due to
insufficient supervision or control by a person by a natural person that has power to (1) represent the legal entity;
(2) or to make decisions on the behalf of the legal entity; or (3) has supervisory powers in the legal entity,
provided the violation is not subject to criminal law.
The possibility to impose fines against a legal entity or a responsible natural person, as appropriate. If the fine is imposed
against a legal entity, the Authority is required to identify a particular natural person whose violations are to be attributed
to said entity; the responsible natural person may not be fined for the same breach.
Public bodies cannot be fined for violations of GDPR or DSG.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 74 | | | www.dlapiperdataprotection.com
ELECTRONIC MARKETING
The GDPR applies to most electronic marketing activities, as these will involve use of personal data ( eg, an email address which
includes the recipient’s name). The most relevant legal bases for electronic marketing will be consent, or the legitimate interests of
the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict
standards for consent under the GDPR apply, and marketing consent forms will need to incorporate clearly worded opt-in
mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merely the acceptance of termsnot
and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State, provides for specific rules on
electronic marketing (including circumstances in which consent must be obtained). The ePrivacy Directive is yet to be replaced by
a Regulation. However, it is currently uncertain when this is going to happen. In the meantime, Article 94 makes it clear that
references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive
95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.
The GDPR or DSG do not specifically address (electronic) marketing, however, the use of personal data for marketing purposes is
clearly within their scope. It is arguable that the processing of personal data of the existing customers within the scope of the
business is permissible for marketing purposes, and this has become common practice in Austria. For persons who are not yet
customers, the consent of the data subjects is generally required.
Electronic marketing is also regulated by the Austrian Telecommunications Act ( 2021, ‘TKG’). PursuantTelekommunikationsgesetz
to the TKG the sending of electronic messages without prior consent of the recipient is unlawful, if the sending is for direct
marketing purposes. No consent is required if the data has been obtained in the course of the sale of goods or provision of
services, occurs for the same or similar goods or services, the recipient is able to decline easily and with no costs for the use of
his or her personal data and the recipient has not previously declared, by requesting to be entered on to the relevant list
(maintained by the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR)), that they do not want to be
contacted.
The GDPR implementation Acts do not provide any amendments or derogations in respect of electronic marketing.
However, electronic marketing was and still is separately regulated in Austria in the Telecommunications Act
2021, TKG), Section 174, which implements the ePrivacy Directive.(Telekommunikationsgesetz
Pursuant to the TKG the sending of electronic messages without prior consent of the recipient is unlawful insofar as the
message is sent for direct marketing purposes. Explicit consent is not required where (1) the data have been obtained in
the context of the sale of goods or provision of services; (2) the electronic marketing concerns same or similar goods or
services of the sender; (3), the recipient is able to decline easily and with no costs for the use of his or her personal data
for electronic marketing, both when the data are collected as well as with each message received (‘opt-out’), and the
recipient has not previously declared, by requesting to be entered on to the relevant lists (the “Robinson lists”, maintained
by the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR) and the Austrian Chamber of
Commerce (WKO)), that he or she does not want to be contacted.
ONLINE PRIVACY
Online privacy is specifically regulated by the TKG.
Traffic data
Traffic Data held by communications services providers (CSPs) must be erased or anonymized when it is no longer necessary for
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 75 | | | www.dlapiperdataprotection.com
the purpose of the transmission of a communication. However, Traffic Data can be retained for purposes of invoicing the services.
In such a case, if the invoice has been paid and no appeal has been lodged with the CSP within three months the Traffic Data must
be erased or anonymized.
Location data
Location Data may only be processed for emergency services and with consent of the user. Even in case of consent, the user must
be able to prohibit the processing by simple means, for free of charge and for a certain time period.
Cookie compliance
The relevant section of the TKG stipulates that a user must give informed consent for the storage of personal data, which includes
a cookie. The user has to be aware of the fact that consent for the storage or processing of personal data is given, as well as the
details of the data to be stored or processed, and has to agree actively. Therefore obtaining consent via some form of pop-up or
click through agreement seems advisable. Consent by way of browser settings, or a pre-selected checkbox etc. is probably not
sufficient in this respect.
If for technical reasons the short term storage of content data is necessary, such data must be deleted immediately thereafter.
Online privacy is still specifically regulated by the TKG, and the GDPR implementation acts have introduced only minor
amendments thereto. There are no regulations regarding online privacy in the DSG itself.
Media privilege
In an effort to balance freedom of speech and freedom of information publishers as well as owners and employees of
media outlets are granted privileges regarding the processing of data for journalistic purposes (Section 9 DSG). Certain
Chapters of the GDPR are not applicable to such processings, specifically:
Chapter II (Principles);
Chapter III (Rights of the data subject);
Chapter IV (Controller and Processor);
Chapter V (Transfers of personal data to third countries or international organizations);
Chapter VI (Independent supervisory authorities);
Chapter VII (Cooperation and consistency); and
Chapter IX (Provisions relating to specific processing situations).
The same exceptions (with the slight difference of Article 5 of Chapter II remaining applicable) are stipulated if data is
processed for scientific, artistic or literary purposes.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Austria 76 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Sabine Fehringer
Partner
T +43 1 531 78 1460
sabine.fehringer@dlapiper.com
Stefan Panic
Counsel
T +43 531 78 1034
stefan.panic@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Azerbaijan 77 | | | www.dlapiperdataprotection.com
AZERBAIJAN
Last modified 15 February 2022
LAW
Law on Personal Information dated 11 May 2010.
DEFINITIONS
Definition of Personal Data
Any information allowing to identify a person, directly or indirectly, is considered personal data.
Definition of Sensitive Personal Data
Personal data of special category includes information relating to race or nationality of an individual, his/her family life, religion and
belief, health or conviction.
NATIONAL DATA PROTECTION AUTHORITY
The major regulator/enforcement authority (DPA) is the Ministry of Digital Development and Transport.
In addition, the other designated state authorities which are vested in powers to enforce applicable data protection/privacy laws,
within the scope of their competences, include the Ministry of Internal Affairs, the Ministry of Justice, the State Security Service,
and the Special State Protection Service.
REGISTRATION
Information systems of personal data must be registered with the DPA. There are also certain exemptions from such registration
requirement.
DATA PROTECTION OFFICERS
The DPA, through its officers, may demand elimination of violations of statutory requirements by legal entities and individuals, also
take necessary actions for holding accountable persons who breached the statutory requirements regarding collection, processing
and protection of personal data.
COLLECTION & PROCESSING
Collection and processing of personal data can be implemented either with obtaining a prior consent of a data subject or when the
data is of open category (i.e. non-confidential).
TRANSFER
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Azerbaijan 78 | | | www.dlapiperdataprotection.com
Transfer of personal data can be performed with a prior written consent of a data subject, unless the data is of open category.
SECURITY
Adequate level of protection of personal data should be provided by owners of operators of personal data.
BREACH NOTIFICATION
There is no specific requirement as to notification of the DPA by the owner or operator of personal data about breach.
ENFORCEMENT
If the rights of a data subject are breached as a result of the illegal collection and processing of personal data, inadequate
protection of such data, or non-compliance with the statutory requirements, the data subject may claim for compensation of
material and moral damages sustained by him/her through the local court.
ELECTRONIC MARKETING
No consent of a recipient is required for e-mail marketing, provided only that service providers must establish a registration
system for persons who wish to opt out from receiving marketing materials, and comply with such system.
ONLINE PRIVACY
There are no rules directly regulating use of cookies in Azerbaijani legislation. However, if cookies contain any personal data, the
Azerbaijani data protection rules will apply as to the use of such cookies.
If a data subject cannot be identified just based on location data, it would unlikely be deemed as personal data, falling outside the
scope of personal data protection related requirements.
KEY CONTACTS
MGB Law Offices
mgb-law.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Ismail Askerov
Senior Partner
MGB Law Offices
T +99412 493 6669
ismail.askerov@mgb-law.com
Lala Hasanova
Senior Associate
MGB Law Offices
T +99412 493 6669
lala.hasanova@mgb-law.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahamas 79 | | | www.dlapiperdataprotection.com
BAHAMAS
Last modified 22 December 2021
LAW
Data Protection (Privacy of Personal Information) Act (“DPA”).
DEFINITIONS
Definition of Personal Data
Section 2 DPA defines ‘personal data’ as data relating to a living individual who can be identified either from the data or from the
data in conjunction with other information in the possession of the data controller.
Definition of Sensitive Personal Data
‘Sensitive personal data’ is further defined in Section 2 DPA as personal data relating to: racial origin; political opinions or religious
or other beliefs; physical or mental health (other than any such data reasonably kept by them in relation to the physical or mental
health of their employees in the ordinary course of personnel administration and not used or disclosed for any other person);
trade union involvement or activities; sexual life; or criminal convictions, the commission or alleged commission of any offence, or
any proceedings for any offence committed, the disposal of such proceedings or the sentence of any court in such proceedings.
It should be noted that although sensitive personal data (‘ ’) is distinguished from personal data under DPA in its specificity ofSPD
certain categories of data, SPD does not otherwise receive any special treatment compared to general personal data. While DPA
provides that the relevant Minister responsible for data protection may create regulations that would provide safeguards for such
data under the Act, such a regulation has never materialized.
NATIONAL DATA PROTECTION AUTHORITY
Section 14 DPA establishes a Data Protection Commissioner (‘ ’), a corporation sole, that is tasked with the enforcement ofDPC
the provisions of DPA. The DPC operates from the Office of the Data Protection Commissioner which would the Bahamian
equivalent of a national data protection authority as seen in other jurisdictions.
REGISTRATION
There is no obligation under DPA to register with the Office of the Data Protection Commissioner as a data controller (or data
processor).
DATA PROTECTION OFFICERS
There is no statutory duty to appoint a Data Protection Officer under DPA.
COLLECTION & PROCESSING
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahamas 80 | | | www.dlapiperdataprotection.com
DPA in The Bahamas has only limited extraterritorial effect (as it concerns data controllers). Per Section 4(1) of DPA, the Act
only applies to: data controllers established in The Bahamas (where the data is processed in the context of the local
establishment); and data controllers established outside The Bahamas that use equipment in The Bahamas for processing data
(other than for transit through The Bahamas).
In the above context, an ‘established’ data controller can be any of the following (in accordance with Section 4(3) of DPA): an
individual ordinarily resident in The Bahamas; a body incorporated or registered under Bahamian law; a partnership or other
unincorporated association formed under Bahamian law; and any person that does not fall into any of the foregoing categories but
maintains an office, branch or agency in The Bahamas through which they carry on a business activity or regular practice. It can be
seen, therefore, that a nexus to The Bahamas of the kind described above must be established for DPA to apply outside the
jurisdiction.
Data controllers are defined in Section 2 DPA as a person who, alone or with others, determines the purposes for which and the
manner in which any personal data are, or are to be processed. Data controllers owe a statutory duty of care to data subjects
pursuant to Section 12(1) as it regards the collection by him of personal data or information intended for inclusion in such data or
his dealing with such data. Further, Section 12(2) provides that data controllers must use contractual or other legal means to
provide a ‘comparable’ level of protection from any third party to whom he discloses information for the purpose of data
processing.
Data controllers, under Sections 6(1), must abide by several core duties as it relates that the collection, processing, keeping, use
and disclosure of data of data subjects, namely, to ensure:
The data or information constituting the data has been collected by means which are lawful and fair in the circumstances
of the case (e.g., data subjects should not be deceived or misled as to the purpose(s) for which the data is being processed
or collected – and the use of such data should not cause damage or distress to the data subject);
The data is accurate and kept up to date where necessary (except in the case of data back-up);
The data is only kept only for one or more specified or lawful purpose(s);
The data is not used or disclosed in a manner which is incompatible with that/those purpose(s);
The data collected is adequate, relevant and not excessive in relation to that purpose or purposes;
The data is not kept for a period longer than necessary for the purpose(s) for which it was collected (except in cases
where personal data needs to be kept for historical, statistical or research purposes);
There are appropriate security measures in place to prevent unauthorised access to, or alteration, disclosure or
destruction of data and against its accidental loss or destruction.
TRANSFER
Section 17 DPA speaks to the international transfer of data. Under Section 17(1) the DPC may prohibit the transfer of personal
data from The Bahamas to a place outside The Bahamas in cases where there is a failure to provide protection either by contract
or otherwise equivalent to that provided under DPA, subject to certain exceptions. In arriving at a determination to prohibit the
international transfer of data, the DPC must consider whether such a transfer would cause damage or distress to any person and
consider the desirability of the transfer. Pursuant to Section 17(8) however, data constituting data required or authorized to be
transferred under another enactment; or data that is required by any convention or other instrument imposing an international
obligation on The Bahamas; or otherwise, data that a data subject has consented to having transferred, will not apply under
Section 17.
SECURITY
As mentioned previously, Section 6(1)(d) provides that data controllers must ensure that appropriate security measures are taken
against unauthorised access to, or alteration, disclosure or destruction of, the data and against their accidental loss or destruction.
In practice, appropriate security measures typically mean ‘industry-standard’ (particularly for institutions that store SPD, e.g. law
firms, hospitals, banks, insurance companies, etc).
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahamas 81 | | | www.dlapiperdataprotection.com
There is no breach notification obligation under the provisions of DPA.
ENFORCEMENT
The DPC of The Bahamas is largely responsible for the enforcement of data protection in the jurisdiction. Section 15(1) states that
the DPC may investigate or cause to be investigated whether any of the provisions of DPA have been contravened by a data
controller or a data processor in relation to an individual when an individual has complained of a contravention of any DPA
provisions or where he may otherwise be of the opinion that a contravention make have occurred. Enforcement measures the
DPC can utilize include enforcement notices (Section 16 DPA), prohibition notices (Section 17 DPA), information notices (Section
18 DPA), and in rare instances bringing and prosecuting summary offences under DPA (Section 28 DPA).
Aside from its statutory functions, the DPC is also tasked with educating the public of data protection issues and trends and
providing assistance in data breach remediation.
In accordance with Section 29(1) DPA, penalties for a person guilty of an offence under DPA are liable on summary conviction to
a fine not exceeding $2,000.00 Bahamian Dollars; or on conviction on information, to a fine not exceeding $100,000.00 Bahamian
Dollars. Further, Section 29(2) provides that where a person is convicted of a DPA offence, the court may also order that any data
material which appears to the court to be connected with the commission of the offence to be forfeited or destroyed and any
(relevant) data to be erased.
ELECTRONIC MARKETING
Data subjects have the right to prohibit processing for the purposes of direct marketing by way of Section 11 DPA. Though DPA
provides that ‘direct marketing’ includes direct mailing, it also applies by extension to electronic marketing and newsletters. In
order to prohibit such processing a data subject may make a written request to the data controller to cease using any data that
has been kept for the purpose of direct marketing. The data controller then has no more than forty days to either erase or cease
using the said data and notify the data subject in writing accordingly.
ONLINE PRIVACY
Outside of the current provisions of DPA and legislation governing law enforcement access to one’s computing devices and
encrypted data (e.g. the Interception of Communications Act, Computer Misuse Act, National Crime Intelligence Agency Act etc.),
online privacy is largely unregulated and there are no specific laws aimed at the use of cookies or the collection of location data.
Under the Electronic Communications and Transactions Act (‘ ’), however, Section 20 provides for online intermediary aECTA
procedure for ‘dealing with unlawful, defamatory, etc. information’. An intermediary is defined under Section 2 ECTA as, in the
context of an electronic communication, a person including a host on behalf of another person who sends, receives or stores
either temporary or permanently that electronic communication or provides related services with respect to that electronic
communication. Section 20(1) states that where an intermediary has actual knowledge that information in an electronic
communication gives rise to civil or criminal liability, then as soon as possible the intermediary should remove the information
from any information processing system within the intermediary’s control and cease to provide or offer services in respect of that
information and notify the police of the any relevant facts and of the identity of the person from whom the intermediary was
supplying services in respect of the information, if the identity of that person is known to the intermediary. Similarly, Section 20(2)
states that if an intermediary is aware of facts or circumstances from which the of civil or criminal liability in respect oflikelihood
the information in an electronic communication ought reasonably to have been known should, as soon as practicable, follow any
relevant procedure set out in any code of conduct that may be applicable to the intermediary under the Act or notify the police
and relevant Minister responsible for electronic communications. The Minister may then direct the intermediary to remove the
electronic communication from any information processing system within the control of the intermediary and cease to provide
services to the person to whom the intermediary was supplying services in respect of that electronic communication. It can be
argued that these provisions give intermediaries (e.g. telecommunications providers) facilitating communications between end
users’ communications broad powers to potentially cease services or effectively censor electronic communications they deem
objectionable on the grounds that civil or criminal liability could likely arise without any liability arising provided the action is made
in good faith.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahamas 82 | | | www.dlapiperdataprotection.com
KEY CONTACTS
GrahamThompson
grahamthompson.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Sean G. McWeeney Jr.
Associate
GrahamThompson
T +1 (242) 322-4130
sgm@gtclaw.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahrain 83 | | | www.dlapiperdataprotection.com
BAHRAIN
Last modified 7 December 2021
LAW
Bahrain enacted Law No. 30 of 2018 with respect to Personal Data Protection (” “) on July 12, 2018. The PDPL is the mainPDPL
data protection regulation in Bahrain. The PDPL came into force on August 1st 2019, and supersedes any law with contradictory
provisions.
DEFINITIONS
Definition of personal data
Personal data is defined under the PDPL as any information of any form related to an identifiable individual, or an individual who
can be identified, directly or indirectly, particularly through their personal identification number, or one or more of their physical,
physiological, intellectual, cultural or economic characteristics or social identity.
Definition of sensitive personal data
Sensitive personal data is a subset of personal data. It is personal data which reveals, directly or indirectly, the individual’s race,
ethnicity, political or philosophical views, religious beliefs, union affiliation, criminal record or any data related to their health or
sexual life. Sensitive personal data requires more rigorous treatment by data controllers.
NATIONAL DATA PROTECTION AUTHORITY
Under the PDPL, the Personal Data Protection Authority (” “) will have power to investigate violations of the PDPL onAuthority
its own, at the request of the responsible minister, or in response to a complaint.
The Authority can issue orders to stop violations, including issuing emergency orders and fines. Civil compensation is also allowed
for any individual who has incurred damage arising from the processing of their personal data by the data controller, or violating
the provisions of the PDPL by a business’s data protection officer. Finally, the most concerning feature of the PDPL for businesses
is that the it carries criminal penalties for violations of certain provisions.
Decree No. 78 of 2019 (the ” “) was enacted to determine the administrative authority that will assume the mandatedDecree
functions and powers of the Authority. This Decree came into force 29 September 2019.
Article I of the aforementioned Decree appoints the Ministry of Justice, Islamic Affairs and Endowments (the ” “) as theMinistry
Authority for the protection of personal data in accordance with the provisions of the PDPL, on a temporary basis pending the
financial allocation of the Authority in the general budget of Bahrain and the issuance of a decree forming the Board of Directors
pursuant to Article 39 of the PDPL.
The Minister of the Ministry will assume the functions and powers prescribed to Board of Directors of the Authority and the
Chairman of Board of Directors, in accordance with the provisions of the PDPL The Undersecretary of the Ministry will
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahrain 84 | | | www.dlapiperdataprotection.com
assume the same functions and powers as the Executive Chairman.
REGISTRATION
The Authority must create a register of data protection officers. To be accredited as a data protection officer, an individual must
be registered in that register.
DATA PROTECTION OFFICERS
Data controllers may voluntarily appoint a data protection officer. The Authority’s Board of Directors may also issue a decision
requiring specific categories of data controllers to appoint data protection officers. However, in all instances, the data controller
must notify the Authority of such an appointment within three days of its occurrence.
A data protection officer must help the data controller in exercising its rights and fulfilling its obligations prescribed under the
PDPL The data protection officer also has a number of other roles, including liaising with the Authority, verifying that personal
data is processed in accordance with the PDPL, notifying the Authority of any violations of the PDPL that the data protection
supervisor becomes aware of and maintaining a register of processing operations that the data controller must notify the
Authority about.
The Authority must create a register of data protection officers. To be accredited as a data protection officer, an individual must
be registered in that register.
COLLECTION & PROCESSING
Processing is defined under the PDPL as any operation or set of operations carried out on personal data by automated or
non-automated means, such as collecting, recording, organizing, classifying in groups, storing, modifying, amending, retrieving, using
or revealing such data by broadcasting, publishing, transmitting, making them available to others, integrating, blocking, deleting or
destroying them.
Processing of personal data can only occur with the consent of the data subject, unless the processing is necessary:
to implement a contract to which the data subject is a party;
to take steps at the request of the data subject to conclude a contract;
to implement an obligation required by law, contrary to a contractual obligation or an order from a competent court;
to protect the vital interests of the data subject; or
to exercise the legitimate interests of the data controller or any third party to whom the data is disclosed, unless this
conflicts with the fundamental rights and freedoms of the data subject.
Processing of sensitive personal data is also prohibited without the consent of the data subject, except when the processing:
is required by the data controller to carry out their obligations;
is necessary for the protection of the data subject;
of the data is made available to the public by the data subject;
is necessary to exercise any of the procedures of claims of legal rights or the defence thereof;
is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare, treatment or management
of healthcare services;
is carried out within the activities of associations, unions and other non-profit organisations;
is carried out by a competent public entity; or
is related to the race or ethnicity, if they are necessary to ascertain equal opportunities or treatment of the society’s
individuals.
Data controllers are prohibited from processing the following personal data types without the prior written authorization of the
Authority:
automatic processing of sensitive personal data of data subjects who cannot provide consent;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahrain 85 | | | www.dlapiperdataprotection.com
automatic processing of biometric data;
automatic processing of genetic data (unless such processing was provided by physicians and specialists at a licensed
medical establishment and is necessary for purposes of preventative medicine or diagnostic medicine, or purposes to
provide treatment or healthcare);
automatic processing of personal data files that are in the possession of two or more data controllers that are processing
personal data for different purposes; or
processing that consists of visual recording to be used for monitoring purposes.
TRANSFER
Transfers of personal data out of Bahrain is prohibited unless the transfer is made to a country or region that provides sufficient
protection to personal data. Those countries need to be listed by the Authority and published in the Official Gazette.
Data controllers can also transfer personal data to countries that are not determined to have sufficient protection of personal data
where:
the transfer occurs pursuant to a permission to be issued by the Authority on a case-by-case basis, if it deems that the
data will be sufficiently protected;
if the data subject has consented to that transfer;
if the data to be transferred has been extracted from a register that was created in accordance with the PDPL for the
purpose of providing information to the public, regardless of whether viewing of this register is available to everyone or
limited to the parties concerned in accordance with specific terms and conditions. In this instance, one shall have to satisfy
the terms and conditions prescribed for viewing the register before viewing that information;
if the transfer is necessary for any of the following:
to implement a contract between the data subject and the data controller, or to undertake preceding steps at the
data subject’s request for the purpose of concluding a contract;
to implement or conclude a contract between the data controller and a third party for the benefit of the data
subject;
to protect the data subject’s vital interests;
to implement an obligation imposed by the PDPL (even if this is contrary to the contractual obligation), or to
implement an order issued by a competent court, the public prosecution, the investigating judge or the military
prosecution; or
to prepare, execute or defend a legal claim.
SECURITY
The PDPL requires that data controllers apply technical and organizational measures capable of protecting the data against
unintentional or unauthorized destruction, accidental loss, unauthorized alteration, disclosure or access, or any other form of
processing.
The PDPL requires that the Authority’s Board of Directors issues a decision specifying the terms and conditions that the technical
and organizational measures must satisfy. The decision may require specific activities by applying special security requirements
when processing personal data.
Data controllers must also use data processors who will provide sufficient guarantees about applying the technical and
organizational measures that must be adhered to when processing the data. Data controllers must also take reasonable steps to
verify that data processors comply with these measures.
BREACH NOTIFICATION
The PDPL contains a general requirement on the data protection officer to notify the Authority of any breach under the PDPL of
which that the data protection officer becomes aware.
Mandatory breach notification
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahrain 86 | | | www.dlapiperdataprotection.com
Under the PDPL, there is no mandatory data breach notification provision requiring data controllers to notify the Authority or
data subject in the event that there is a breach of personal data held by the data controller.
ENFORCEMENT
The Authority can issue orders to stop violations, including emergency orders and fines. Civil compensation is also allowed for any
individual who has incurred damage arising from the processing of their personal data by the data controller, or arising from the
data protection officer’s violation of the PDPL Appeals can be made against decisions of the Authority.
The PDPL also carries a range of criminal penalties and administrative fines for violating certain provisions.
Criminal penalties of imprisonment of not more than one year and / or a fine between BHD 1,000 to BHD 20,000, can be issued
against any individual who:
processes sensitive personal data in violation of the PDPL;
transfers personal data outside Bahrain to a country or region in violation of the PDPL;
processes personal data without notifying the Authority;
fails to notify the Authority of any change made to the data of which they have notified the Authority;
processes certain personal data without prior authorization from the Authority;
submits to the Authority or the data subject false or misleading data to the contrary of what is established in the records,
data or documents available at their disposal;
withholds from the Authority any data, information, records or documents which they should provide to the Authority or
enable it to review them in order to perform its missions specified under the PDPL;
causes to hinder or suspend the work of the Authority’s inspectors or any investigation which the Authority is going to
make; and / or
discloses any data or information which they are allowed to have access to, due to their job or which they used for their
own benefit or for the benefit of others unreasonably and in violation of the provisions of the PDPL
ELECTRONIC MARKETING
Under the PDPL, data controllers must notify the data subject when data is collected directly or indirectly of whether data will be
used for direct marketing purposes. Notice is important because it alerts data subjects of their right to object to any direct
marketing relating to their personal data.
ONLINE PRIVACY
There is no specific online privacy regulation in Bahrain.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bahrain 87 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Mohamed Toorani
Legal Director – Head of Bahrain Office
T +973 I 755 0896
mohamed.toorani@dlapiper.com
Lulwa Alzain
Associate
T +973 I 755 089I
lulwa.alzain@dlapiper.com
Jenan Banahi
Associate
T +973 1755 0897
jenan.banahi@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bangladesh 88 | | | www.dlapiperdataprotection.com
BANGLADESH
Last modified 11 January 2022
LAW
Digital Security Act 2018 (“ ”).DSA 2018
DEFINITIONS
Definition of personal data
Section 26 of the DSA defines the term “identity information” as “any external, biological or physical information or any other
information which singly or jointly can identify a person or a system, such as name, photograph, address, date of birth, mother’s name,
father’s name, signature, national identity card, birth and death registration number, finger print, passport number, bank account number,
driving license, e-TIN number [Tax identification Number], electronic or digital signature, username, credit or debit card number, voice print,
retina image, iris image, DNA profile, security related question or any other identification which are available for advance technology”.
Definition of sensitive personal data
The DSA 2018 does not define the term “Sensitive Personal Data” or any similar or equivalent term.
NATIONAL DATA PROTECTION AUTHORITY
Digital Security Agency.
REGISTRATION
No requirements.
DATA PROTECTION OFFICERS
No requirements.
COLLECTION & PROCESSING
There are no statutes that expressly allow the collection and processing of identification information.
The DSA 2018 came into force in full on 8 October 2018. Section 26 of the DSA 2018 has been drafted in very wide terms. The
contents of this provision would appear to provide, that if anyone collects, sells, keepsinter alia, without lawful authority
possession of, supplies or uses identification information of another person, it would constitute an offence . The punishment for1
a first-time offender would be imprisonment of a term not exceeding five years or a fine not exceeding Taka 5,00,000 (approx.
US$ 5,950 as at 19 January 2021) or both. The punishment for second-time offenders or repeat offenders would be imprisonment
of a term not exceeding 10 years or a fine not exceeding Taka 10,00,000 (approx. US$ 11,900 as at 19 January 2021), or both.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bangladesh 89 | | | www.dlapiperdataprotection.com
Please note that the DSA 2018 does not contain any exceptions to the Section 26 requirement. However, identification
information may be, among other things, collected and stored by a person if he has . The term “lawful authority”lawful authority
has not been defined in the DSA 2018. Due to the very recent enactment of this legislation, the Government of Bangladesh has
not yet issued any clarification as to what would constitute ‘lawful use’ and has provided no guidance on what would satisfy the
‘lawful authority’ requirement. It is for these reasons (among others) that the legislation has been widely criticised.
In our opinion, a person will be deemed to have lawful authority if they are authorized by statute or contract to collect and store
such identification information.
Note 1. Please note that this is an unofficial English translation of the wording of the provision in question.
TRANSFER
Bangladesh does not specifically regulate data transfers within Bangladesh or from Bangladesh to outside of Bangladesh. In our
opinion, transfers would be permitted provided consent of the data subject is obtained.
While there are no general restrictions on transfer of data outside Bangladesh, please note that there are certain industry specific
restrictions that are discussed below.
Banks
Section I2 of the Bank Companies Act, I 99 I has imposed a restriction upon bank companies with regard to removal of documents
and records outside Bangladesh without prior permission of Bangladesh Bank (i.e. the central bank of Bangladesh).
The requirement for obtaining prior written permission from Bangladesh Bank is upon the transferor, i.e. the bank company.
Banks must also maintain confidentiality in banking transactions.
Telecommunication companies
The Bangladesh Telecommunication Regulatory Commission (” “) is the authority that is responsible for regulatingCommission
telecommunications companies (” “) in Bangladesh and issuing licenses to telcos for providing mobile phone services.telcos
The license which is granted to the telcos contains a provision regarding subscriber confidentiality. The confidentiality requirement
applies to As such, telcos will be prohibited from sharing any subscriber information (to”all information provided by the subscriber”.
entities or persons located inside or outside Bangladesh) that does not come within the exemptions listed above. Furthermore, in
our opinion, subscribers would not have the option of giving consent to the telcos to share their data, instead for such sharing,
approval from the Commission will be required.
SECURITY
There are no data security requirements.
BREACH NOTIFICATION
There is no requirement to report data breaches to any individual or regulatory body.
ENFORCEMENT
There is no enforcement mechanism. Appropriate relief may be sought through courts of law having jurisdiction in the matter.
ELECTRONIC MARKETING
There is no regulation on electronic marketing.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bangladesh 90 | | | www.dlapiperdataprotection.com
ONLINE PRIVACY
There is no regulation on cookies and location data. However, it is advisable to obtain user consent, such as through appropriate
disclaimers.
KEY CONTACTS
Dr. Kamal Hossain and Associates
www.khossain.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dr. Sharif Bhuiyan
Partner and Deputy Head of Chambers – International and Commercial Practice
Dr. Kamal Hossain and Associates
T +88 02 9552946
sbhuiyan@khossain.com
Najeeb Huda
Associate
Dr. Kamal Hossain and Associates
T +88 02 9552946
nhuda@khossain.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Barbados 91 | | | www.dlapiperdataprotection.com
BARBADOS
Last modified 10 January 2022
LAW
The Data Protection Act (the ” ) was passed on August 12, 2019, and came into force in March 2021. The purpose of the ActAct”
is to regulate the collection keeping, processing, use and dissemination of personal data and to protect the privacy of individuals in
relation to their personal data.
DEFINITIONS
Definition of Personal Data
“Personal data” means data which relates to an individual who can be identified:
from that data; or
from that data together with other information which is in the possession of or is likely to come into the possession of
the data controller.
Definition of Sensitive Personal Data
“Sensitive personal data” means personal data consisting of information on a data subject’s:
racial or ethnic origin;
political opinions;
religious beliefs or other beliefs of a similar nature;
membership of a political body;
membership of a trade union;
genetic data;
biometric data;
sexual orientation or sexual life;
financial record or position;
criminal record; or
proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the
sentence of any court of competent jurisdiction in such proceedings.
NATIONAL DATA PROTECTION AUTHORITY
A Data Protection Commissioner (the ” “) is responsible for the general administration of the Act.Commissioner
REGISTRATION
A data controller must be registered in the Register of Data Controllers.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Barbados 92 | | | www.dlapiperdataprotection.com
A data processor must be registered in the Register of Data Processors.
DATA PROTECTION OFFICERS
The data controller and the data processor must designate a data privacy officer where:
the processing is carried out by a public authority or body, except for a court of competent jurisdiction acting in their
judicial capacity;
the core activities of the data controller or the data processor consist of processing operations which, by virtue of their
nature, their scope and their purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the data controller or the data processor consist of processing on a large scale of sensitive personal
data.
The data privacy officer must be designated on the basis of professional qualities and, in particular, expert knowledge of data
protection law and practices and the ability to fulfil the duties and functions as set out under the Act.
COLLECTION & PROCESSING
Where personal data relating to a data subject is collected from the data subject, the data controller must, at the time when
personal data is obtained, provide the data subject with the following:
the identity and the contact details of the data controller and, where applicable, of the data controller’s representative;
the contact details of the data privacy officer, where applicable;
Processing must be lawful where:
the data subject has given consent to the processing of his personal data for one or more specific purposes; or
the processing is necessary
for the performance of a contract to which the data subject is a party;
for the taking of steps at the request of the data subject with a view to entering into a contract;
for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed
by contract;
in order to protect the vital interests of the data subject;
for the administration of justice;
for the exercise of any functions of either House of Parliament;
for the exercise of any functions conferred on any person by or under any enactment;
for the exercise of any functions of a public authority;
for the purposes of legitimate interests pursued by the data controller or by the third party to whom the data is
disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights
and freedoms or legitimate interests of the data subject; or
processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third
party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data
subject which require protection of personal data, in particular where the data subject is a child.
TRANSFER
Transfer of personal data is unlawful unless certain conditions are satisfied. Where the data subject has given their consent to the
transfer of their personal data, the restrictions on the transfer of the data do not apply. The Act also sets out various other
exemptions for the restrictions where transfer of the personal data is necessary e.g. for the performance of a contract between
the data subject and the data controller, reasons of substantial public interest, for the purpose of obtaining legal advice, etc.
Personal data obtained must not be transferred to a country or territory outside Barbados unless that country or territory
provides for (a) an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of
personal data and (b) appropriate safeguards on condition that the rights of the data subject are enforceable and there are
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Barbados 93 | | | www.dlapiperdataprotection.com
available, effective legal remedies for data subjects.
The circumstances for determining an adequate level of protection as well as methods for providing appropriate safeguards
including the development of binding corporate rules must submitted to the Commissioner for authorisation.
The ” ” must specify (but not limited to) the following: binding corporate rules
the structure and contact details of the group of undertakings, or group of enterprises engaged in a joint economic activity
and of each of its members;
the data transfers or set of transfers, including the categories of personal data, the type of processing and its purposes, the
type of data subjects affected and the identification of the third country or countries in question;
their legally binding nature, both in and outside of Barbados.
SECURITY
The data controller and the data processor must implement appropriate technical and organisational measures to ensure a level of
security appropriate to the risk.
BREACH NOTIFICATION
In certain circumstances, a data controller is required to report to the Commissioner data breaches which have affected a data
subject.
Mandatory breach notification
Where there is a personal data breach the data controller must without undue delay and, where feasible, not later than 72 hours
after having become aware of it, notify the personal data breach to the Commissioner, unless the personal data breach is unlikely
to result in a risk to the rights and freedoms of an individual.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller must
communicate the personal data breach to the data subject without undue delay and, where feasible, not later than 72 hours after
having become aware of it.
ENFORCEMENT
Where the Commissioner is satisfied that a data controller or a data processor has contravened or is contravening this Act, the
Commissioner may serve him an “enforcement notice”.
In deciding whether to serve an enforcement notice, the Commissioner must consider whether the contravention has caused or is
likely to cause any person damage or distress.
ELECTRONIC MARKETING
There are no specific laws in respect of these matters.
ONLINE PRIVACY
There are no specific laws in respect of these matters.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Barbados 94 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Chancery Chambers
chancerychambers.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Angela R Robinson
Senior Associate
Chancery Chambers
T +246 431 0070
arobinson@chancerychambers.com
Giles A M Carmichael
Partner
Chancery Chambers
T +246 431 0070
gcarmichael@chancerychambers.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belarus 95 | | | www.dlapiperdataprotection.com
BELARUS
Last modified 21 February 2022
LAW
The fundamental legal act regulating personal data protection in Belarus is the Law on Personal Data Protection of 7 May 2021
No. 99-Z which entered into force on 15 November 2021 (Data Protection Law). It is the first Belarusian legal act intended
specifically for regulation of personal data protection issues.
It worth also to take into consideration the acts implemented within the framework of the Eurasian Economic Union
(EEU), e.g. the Protocol on Information and Communication Technologies and Informational Interaction within the
Eurasian Economic Union, Annex 3 to the Treaty on the Eurasian Economic Union of 29 May 2014. Following the
Decision of the Supreme Eurasian Economic Council of 11 October 2017 the member states of EEU are planning to
develop the initiative on conclusion of the Agreement on Data Circulation within the Union (including on personal data
protection). The initiative is one of measures aimed at implementation of the Main Directions for Implementation of the
Digital Agenda of the Eurasian Economic Union until 2025.
DEFINITIONS
Definition of personal data
Data Protection Law defines “personal data” as any information relating to an identified or identifiable natural person.
In its turn, “individual who can be identified” means an individual who can be directly or indirectly determined, in particular
through the surname, proper name, patronymic, date of birth, identification number, or through one or more of characteristic
features of her/his physical, psychological, mental, economic, cultural or social identity.
The Law also defines “special personal data”, “biometric personal data”, “genetic personal data” and “publicly available personal
data”.
Definition of sensitive personal data
Data Protection Law defines “special personal data” which include information about race, nationality, political, religious and other
convictions, health and sexual activity; criminal conviction records; biometric and genetic personal data.
“Biometric personal data” means information describing the physiological and biological characteristics of a person, which is used
for her/his unique identification (fingerprints, palms, iris, characteristics of the face and its image, etc.), while “genetic personal
data” is defined as information related to the inherited or acquired genetic characteristics of a person, which contain unique data
on her/his physiology or health and can be identified, in particular, during the study of her/his biological sample.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belarus 96 | | | www.dlapiperdataprotection.com
NATIONAL DATA PROTECTION AUTHORITY
The National Personal Data Protection Centre (NPDPC) is the competent authority for the protection of personal data subjects’
rights. The main tasks of the NPDPC are taking measures to protect the rights of personal data subjects in the processing of their
personal data and organising training on personal data protection issues.
In accordance with these tasks NPDPC performs the following functions:
controls the processing of personal data by operators (authorised persons);
considers complaints of personal data subjects regarding the processing of personal data;
determines the list of foreign countries having proper level of data subjects’ rights protection;
issues permits for cross-border transfer of personal data, if the level of protection of personal data subjects’ rights in a
foreign country is not adequate, as well as establishes the procedure for issuing such permits;
makes proposals on the improvement of the personal data legislation, participates in the drafting of legal acts on personal
data;
provides explanations on the application of personal data legislation, carries out other explanatory work on personal data
legislation;
determines the cases in which it is not necessary to notify NPDPC of the breach of personal data protection systems;
establishes the classification of information resources (systems) containing personal data in order to determine the
technical and cryptographic protection requirements for personal data;
participates in the work of international organisations on personal data protection issues;
cooperates with authorities (organisations) for protection of rights of personal data subjects in foreign countries;
publishes annually by 15 March, the report in mass media on its activities;
implements educational programs of additional education for adults in accordance with the legislation on education;
exercises other authority established by the personal data legislation.
Contact information of NPDPC
Build. 24-3, K.Zetkin str., Minsk, 220036
T: + 375 17 367 07 90
e-mail: info@cpd.by
REGISTRATION
Since 1 January 2024 operators are obliged to enter information about information resources (systems) containing personal data
into Register of Personal Data Operators and ensure that the relevant information is kept up-to-date. Types of information
resources (systems), information about which is to be entered into the Register, as well as the list of information to be included
therein shall be determined by the Operational and Analytical Centre under the President of the Republic of Belarus (OAC) by
1 August 2022.
State information systems shall be registered under the separate procedure regardless whether any personal data are
processed in it or not. According to Belarusian legislation state information systems are information systems created and /
or acquired at the expense of state or local budgets, state off-budget funds, or by state legal entities.. Registration is
performed by specially authorised by the Ministry organisation – SERUE “Institute of Application Software Systems.” One
of the conditions for state registration of an information system is registration of all information resources included in
such an information system. Described registration can be performed for private owned information systems voluntarily.
According to the Edict of the President of the Republic of Belarus of 16 April 2013 No. 196 On Certain Measures for
Improvement of the Information (Information Protection Decree) organisations owning information systems intended for
processing of personal data are obliged to notify the OAC on the conditions of technical information protection of such
systems.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belarus 97 | | | www.dlapiperdataprotection.com
DATA PROTECTION OFFICERS
Data Protection Law obliges operators to designate a structural unit or person responsible for the internal control of personal
data processing. This shall be an internal unit or employees of the organisation, i.e. it is not possible to outsource the control
functions. The legislation does not provide mandatory requirements for the person responsible for the internal control.
Consequently, the operator appoints such a person or structural unit at its discretion.
Persons responsible for the internal control of personal data processing shall complete training on issues related to personal data
protection at least once every five years. Depending on the type of organisation, the training may be organised at NPDPC or
other educational organisations. In addition, the operators shall annually by 15 November provide NPDPC with information on
the number of persons who shall complete training at NPDPC.
Moreover, a legal entity, including state body, processing personal data shall create information protection systems to
secure information in their information systems used for processing of such data. As a part of creation of such system the
entity should establish special department or appoint employee responsible to take required technical and cryptography
information protection measures. According to the amendments to the Information Protection Decree, the employees of
such department (responsible employee) are required to have higher education in the sphere of information protection
security or other higher or professional-technical education and undergo training on the issues of technical and
cryptographic information protection.
If for some reasons respective departments / employees cannot take such measures themselves, a special organisation
licensed to perform activities on technical and / or cryptography information protection may be involved.
COLLECTION & PROCESSING
Data Protection Law contains a wide range of legal bases for personal data processing:
data subject’s consent;
if the processing is required for:
administrative or criminal proceedings, operational-search activities;
administration of justice and the enforcement of court orders and other enforcement documents;
performing monitoring activities (supervision) in accordance with the legislation;
implementation of legislation on national security, on combating corruption, on preventing money laundering,
financing of terrorist activities and financing weapons of mass destruction proliferation;
the implementation of legislation on elections and referendum;
state social insurance purposes;
formalising employment relationships, in the process of employment activities;
notarial activities;
Belarusian citizenship issues;
assignment and payment of pensions, benefits;
the organisation and carrying out of national statistical observations;
scientific and other research purposes, on condition that the personal data are depersonalised;
accounting, calculation, charging of fees for housing and utility services, other services, taxes;
processing is based on a contract, that is concluded (being concluded) with data subject, and for the purpose of
performing actions stipulated by this contract;
if personal data are specified in a document addressed to the operator and signed by the data subject;
processing is essential for the performance of certain journalist’s activities;
processing is required to protect the subject’s life, health or other interests if obtaining of consent is not possible;
if personal data were previously disseminated;
in order to fulfil the duties/powers stipulated in legislation;
in other cases expressly provided in legislation.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belarus 98 | | | www.dlapiperdataprotection.com
Data Protection Law has different list of legal bases for processing of special personal data and for cross-border transfer of
personal data to the territories of states that do not ensure proper protection of data subjects rights.
The consent of the data subject can be obtained in writing, in the form of an electronic document or in another electronic form
(e.g. via tick-box at the website or SMS/email verification). Operator shall provide proof, if be required, that it has collected
proper consent for personal data processing.
Before obtaining consent, the operator shall provide the subject of personal data with the following information:
name (full name) and location (address of residence) of the operator;
purpose of personal data processing;
list of personal data to be processed;
consent validity term;
information about the persons authorised by operator to process personal data (if those are engaged);
what actions be done with personal data;
a general description of the processing methods;
other relevant information.
In addition, apart from other necessary information, the subject shall be informed of his/her rights, the mechanism for exercising
them, the consequences of giving and withdrawing consent.
Operator may collect surname, first name, middle name of data subject, date of birth, identification number (if not, the number of
the ID document) only if it is required for the purposes of processing. Such information shall be provided by data subject when at
the time he/she provides the consent.
Collection and processing of personal data shall be performed having implemented certain legal, organisational and
technical measures for personal data protection. The organisational measures may include establishing a special entrance
regime to the premises used for collection and processing, designation of employees who can have an access to such
premises and data, and differentiation of access levels to respective information. The technical measures may include using
cryptography, technical means and other possible measures of control over information protection.
TRANSFER
The general rule is that cross-border transfer is prohibited, unless a foreign state provides an appropriate level of protection of
the personal data subjects’ rights. NPDPC has established that the list of foreign states, which ensure appropriate level of
protection. The list includes foreign states that are parties to the Council of Europe Convention for the Protection of Individuals
with regard to Automatic Processing of Personal Data, adopted in Strasbourg on 28 January 1981.
However there are certain exceptions, when transfer to the jurisdictions with inappropriate level of protection will be allowed.
For example, upon respective consent of the personal data subject and informing of the possible risks or under the individual
permit for cross-border transfer issued by NPDPC.
SECURITY
The owners of the information systems should take appropriate technical, legal and organizational measures to secure personal
data processed in their information systems. The key technical measure is creation of the information protection system to secure
the information system of an entity intended for processing of personal data. The information protection system shall be attested
according to the procedure established by the OAC.
BREACH NOTIFICATION
Data Protection Law establishes an obligation to notify National Personal Data Protection Center on breach of systems used for
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belarus 99 | | | www.dlapiperdataprotection.com
personal data protection immediately, but not later than within three days of discovery in writing or in the form of an electronic
document. Exceptions to this requirement are cases where a breach of security systems has not resulted in the unlawful
dissemination, provision of personal data; modification, blocking or deletion of personal data without the possibility of restoring
access to it.
Certain additional requirements on the notification of the OAC are set for specific cases of information protection system
breaches or periodical reporting as required by Belarus law. The respective requirements are set forth in the Regulations on the
procedure for submitting information about information security events, the state of technical and cryptographic protection of
information to the OAC, as approved by the Order of the OAC of 2 February 2020 No. 66.
ENFORCEMENT
According to Data Protection Law, NPDPC supervises the processing of personal data by operators and authorised persons. In
the case of a breach of personal data legislation, NPDPC has the right to issue a demand to eliminate the detected violations
and/or to terminate personal data processing in the information resource (system). Term for elimination and/or termination is set
by the NPDPC, but shall not be longer than six months.
Violation of personal data protection legislation may result in civil, criminal and administrative liability. If the violation has led to
moral damages, the violator may be required by the court to reimburse such damages.
Since 1 March 2021 the Administrative Offences Code of Republic of Belarus stipulates specific sanctions for personal data
processing violations, including:
intentional illegal collection, processing, storage or transfer of personal data of an individual or violation of his/her rights
related to the processing of personal data may cause a fine up to 50 base units; intentional distribution – up to 200 base
units (as of 1 January 2022 one base unit equals BYN 32, approx. EUR 11);
non-compliance with requirements on data protection measures implementation may cause a fine ranging from 20
to 50 base units for legal entities.
The Criminal Code of Republic of Belarus envisages criminal liability for the following breaches:
unlawful collection or provision of information relating to the private life and (or) personal data of another person without
his/her consent (depending on the circumstances like volume on grave), a person could be sentenced to community work,
a criminal fine, arrest, or the restriction or deprivation of liberty for up to two years. For the unlawful distribution –
restriction or deprivation of liberty for up to three years with the criminal fine. Higher liability may apply if offence relates
to the victims performing public functions;
failure to comply with measures to ensure the protection of personal data by a person who processes personal data,
which has inadvertently resulted in their dissemination and causing serious consequences a person could be sentenced to
a criminal fine, deprivation of the right to occupy certain job positions or perform certain activities, corrective work for
up to one year, arrest, or the restriction of liberty for up to two years or deprivation of liberty for up to one year.
ELECTRONIC MARKETING
Electronic marketing is subject to the rules established by the Law on Advertising of 10 May 2007 No. 225-Z (Advertising Law)
and the Law on Mass Media of 17 July 2008 No. 427-Z (Mass Media Law).
According to the general rule of the Advertising Law it is not allowed to use in advertising names, pseudonyms, images or
statements of citizens of the Republic of Belarus without their consent or the consent of their legal representatives.
Distribution of advertisements by telecommunication means (e.g. telephone, telex, facsimile, mobile telephone communications,
email) can be performed only with the consent of respective subscriber or addressee. Such consent can be made as a text
document, including document in electronic form. The consent also can be a part of an agreement for telecom services. In this
case subscriber or addressee must be informed about her/his right to demand stopping placing (distributing) advertisement to
her/him, which shall be specifically confirmed by the subscriber (addressee).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belarus 100 | | | www.dlapiperdataprotection.com
The advertisement distributor is obliged to immediately stop advertising to subscriber or addressee upon his / her demand within
one work day from receiving the demand.
Individuals whose rights have been violated as a result of creation and / or distribution of an advertisement are entitled to protect
their rights in court proceedings.
According to the Mass Media Law, information about person’s personal life or audio, video records and photos of a person can be
distributed in mass media as a general rule only with consent of such person or his / her authorised representative. As an
exception, distribution in the media of information messages and (or) materials prepared using audio or video recording, filming or
photo of an individual without her/his consent is allowed only if measures are taken against the possible identification of this
individual by unauthorized persons, and also provided that the dissemination of these information messages or materials does not
violate the constitutional rights and freedoms of the individual and is necessary to protect public interests (except to criminal
investigations or court proceedings).
ONLINE PRIVACY
Belarus law does not specifically regulate online privacy. General requirements on personal data protection apply.
Certain specific online privacy requirements can be established under the legislation. For example, personal data of a person, who
is a domain name administrator, can be disclosed in online WHOIS service of Belarusian domain zone only with consent of such
person. However, consent is not required if the domain name was registered in the name of an individual entrepreneur.
KEY CONTACTS
Sorainen
www.sorainen.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Kirill Laptev
Partner
Sorainen
T +375 17306 2102
kirill.laptev@sorainen.com
Pavel Lashuk
Associate
Sorainen
T +375 17 306 2102
pavel.lashuk@sorainen.com
https://www.dlapiperdataprotection.com
http://www.sorainen.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 101 | | | www.dlapiperdataprotection.com
BELGIUM
Last modified 30 December 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The GDPR has been integrated in Belgium through a few new laws. The ‘ of July 30, 2018 providesData Protection Act’
for the implementation of some of the GDPR provisions open to further definition, derogation or additional requirements.
It also includes the transposition of the 2016/680 Directive regarding the processing of personal data in the criminal justice
chain and the establishment of a Control body on police information (called ‘COC’). Additionally, it regulates the
authorities outside the scope of the EU law (including intelligence and security services).1
The Belgian Data Protection Authority, the successor of the Belgian Privacy Commission, was established by the Belgian
Federal Chamber of Representatives by the Act of December 3, 2017 (‘ ) . Several other laws have also beenDPA Act’ 2
adapted to align them with the GDPR (e.g. Video Surveillance Act).
The competent Secretary of State has announced legislative proposals for a reform of Belgian data protection law (i.e.
both the Data Protection Act and DPA Act) would be introduced before the Federal parliament in the course of 2022.
According to public statements made by the Secretary of State, this reform would address the functioning of theinter alia
Data Protection Authority and strengthen cooperation of the Data Protection Authority with other regulators.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 102 | | | www.dlapiperdataprotection.com
1. See .Data Protection Act
2. See .DPA Act
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The Data Protection Act builds on the definitions contained in the GDPR and further clarifies some notions, such as the
notion of ‘public authority’ . It further adds the definitions of a ‘ ’, ‘1 trusted third party disclosure of personal data’
and ‘ ’ in the context of the research and statistical purposes exception. The Datadistribution of personal data
Protection Act also clarifies certain concepts such as ‘processing in the substantial public interest’ , the ‘processing for2
journalistic purposes’ and introduces new concepts such as ‘a joint database’ .3 4
1. Art. 5 Data Protection Act.
2. Article 8 para. 1 Data Protection Act.
3. Art. 24 para. 1 Data Protection Act.
4. Article 48 Data Protection Act.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
https://www.dlapiperdataprotection.com
http://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=nl&la=N&cn=2018073046&table_name=wet
http://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=nl&la=N&table_name=wet&cn=2017120311
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 103 | | | www.dlapiperdataprotection.com
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The DPA Act establishes the Data Protection Authority as the successor of the Privacy Commission which was
established under the old data protection legislation. The Data Protection Authority has the competences as set out in the
GDPR whenever that competence has not been explicitly assigned to another body.
The Data Protection Act appoints three more regulatory authorities at the federal level (COC , Committee I and1 2
Committee P ) with varying data protection related competences next to the general Data Protection Authority. In3
addition, there are also regional supervisory authorities who have been entrusted mainly with the supervision of the public
authorities of the regions.
The composition of the Data Protection Authority has proven controversial due to the involvement of some members in
government bodies. The European Commission has warned Belgium that it would start an infringement procedure before
the EU Court of Justice if the problems regarding the Data Protection Authority’s independence would not be resolved.
Therefore, a legislative proposal has been introduced before the Federal parliament at the end of 2021 to amend the DPA
Act by partially reforming the rules on the composition of the Data Protection Authority .4
1. Art. 231 Data Protection Act.
2. Art. 72 para. 2 °7 Data Protection Act.
3. Art. 26 °7, c) Data Protection Act.
4. Legislative proposal 26 November 2021, amending the Act of 3 December 2017 establishing the of the Data Protection
Authority, in order to modify the composition of the centre of expertise so that the independence of its members its members
can be guaranteed (Doc. No. 55-2347/001), www.lachambre.be/flwb/pdf/55/2347/55K2347001
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
The registration of processing activities through a notification has been abolished. However, in the public sector, the Data
Protection Act obliges the controller of processing activities in the context of police services to publish a protocol
detailing the transfer to a public authority or private body based on public interest and compliance with legal obligations .1
https://www.dlapiperdataprotection.com
https://www.lachambre.be/flwb/pdf/55/2347/55K2347001
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 104 | | | www.dlapiperdataprotection.com
1. Art. 20 Data Protection Act.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
In addition to the GDPR, the Data Protection Act requires the appointment of a DPO depending on the impact of the
processing activity, namely if it may entail a high risk as referred to in article 35 of the GDPR when (i) a private law body
processes personal data on behalf of a federal public authority or a federal public authority transfers personal data to this
private law body in the context of police services or (ii) the processing falls under the exception necessary for archiving1
purposes in the public interest, scientific or historical research purposes or statistical purposes . Some public authorities2
regulated by the Data Protection Act are also required to appoint a DPO .3
The Data Protection Authority has addressed the GDPR requirements for the appointment of DPOs and the exercise of
its tasks in several cases, including in relation to the position of the DPO and its independence, the obligation to directly
report to the highest management level and the requirement that a DPO must have “expert knowledge”.
1. Art. 21 Data Protection Act.
2. Art. 190 Data Protection Act.
3. The Center for Missing and Sexually Exploited Children (Child Focus) Art. 8 para. 3 Data Protection Act; Competent
authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 105 | | | www.dlapiperdataprotection.com
criminal penalties, including the safeguarding against and the prevention of threats to public security implementing Directive
2016/680 Art. 63 et seq Data Protection Act; Intelligence and security services Art. 91 Data Protection Act; Bodies for security
clearances, certificates and recommendations Art. 124 Data Protection Act; Coordination Unit for Threat Assessment Art. 157
Data Protection Act.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 106 | | | www.dlapiperdataprotection.com
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorised by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – i.e. use data collected for one purpose for a new purpose which
was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle
of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 107 | | | www.dlapiperdataprotection.com
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 108 | | | www.dlapiperdataprotection.com
a.
b.
c.
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The Data Protection Act adds only specificities to the general processing requirements. The age for consent of children
for the purposes of article 8.1 GDPR is 13 year . When processing genetic, biometric and health data, a controller needs1
to indicate who has access to these personal data, keep a list of the categories of people who have access to these data,
keep this list at the disposal of the DPA, and ensure that these people are bound by a legal, statutory or contractual
obligation of confidentiality . The Data Protection Authority has adopted specific guidelines regarding the processing of2
biometric data . 3
The Data Protection Act also provides a list of legal bases for processing data relating to criminal convictions and offences
and requires an access management list and confidentiality duties (as described here above) for processing such data .4
Data subject rights
The Data Protection Act provides further exceptions to data subject’s rights, including the right to be informed when
personal data is received from authorities under special regimes or when personal data is disclosed to these bodies .5 6
With respect to the special regimes addressed in the Data Protection Act, the Data Protection Act also sets out the
corresponding data subject rights (which are often more limited than those included in the GDPR) . 7
The Data Protection Act clarifies that data subject rights, including the right to information in judicial
proceedings/decisions, will be accommodated in accordance with the Judicial Code, the Code on Criminal proceedings
and any specific laws related to criminal law procedure .8
1. Art. 7 Data Protection Act.
2. Art. 9 Data Protection Act.
3. Data Protection Authority, Recommendation on the processing of biometric data (No. 1-2021, 1 December 2021).
4. Art. 10 Data Protection Act.
5. Art. 11, Art. 13 and Art. 14 Data Protection Act.
6. Art. 12 Data Protection Act.
7. Art. 36 et seq, Art. 79, Art. 105 (9), Art. 113, Art. 145, Art. 173 Data Protection Act.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 109 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
8. Art.16 Data Protection Act.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU – U.S. Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
No general additional requirements relating to transfers are introduced by the Data Protection Act. The Data Protection
Act only regulates the transfer of personal data under the special regimes, which in certain cases provides for less leeway
for transfers .1
1. Art. 66-70, Art. 93-94, Art. 126-127, Art. 159-160 Data Protection Act.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 110 | | | www.dlapiperdataprotection.com
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
The Data Protection Act inserts no general additional requirements in relation to security measures. In the context
of archiving, scientific or historical research purposes or statistical purposes, the Data Protection Act sets out specific
rules including anonymization or pseudonymization requirements . 1
Security measures are also detailed for each special regime but resemble the GDPR .2
1. Art. 198 et seq Data Protection Act.
2. Intelligence and security services Art. 88-89 Data Protection Act, Bodies for security clearances, certificates and
recommendations Art. 121-122 Data Protection Act, Coordination Unit for Threat Assessment Art. 154-155 Data Protection Act,
Passenger Information Unit Art. 179-180 Data Protection Act.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
No general additional requirements are inserted in the Data Protection Act relating to data breaches.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 111 | | | www.dlapiperdataprotection.com
Data breach obligations are also detailed for each special regime, but they resemble those contained in the GDPR.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 112 | | | www.dlapiperdataprotection.com
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
In addition to the GDPR, the Data Protection Act introduces a specific procedure for actions for injunctions that can be
initiated by the data subject or by the Data Protection Authority (DPA) . These claims should be brought before the1
President of the Court of First Instance except when the personal data is processed in criminal investigations or
procedures . There is no single court territorially competent to hear these claims . 2 3
The Data Protection Act also contains a legal basis that allows a body, organisation or non-profit organisation to
represent the data subject upon its request when it:
was founded in accordance with Belgian law
has legal personality
has statutory objectives of public interest
has been active in the area of the protection of personal data for at least 3 years 4
The DPA can impose administrative fines under article 83 of the GDPR , but public authorities, their agents and5
authorised representatives are exempted insofar they are not offering goods or services on the market . A supervisory6
authority can exercise the corrective measures set out in article 58.2 GDPR but with regard public authorities, only over
the categories enumerated in the Data Protection Act . 7
Depending on the infringement and the infringer, the controller, processor, competent public authority or their agent can
be subjected to criminal sanctions, such as criminal fines between 800 EUR – 160.000 EUR and a publication of the
judgement . 8
The DPA consists of 6 different Committees. The of the DPA enjoys investigation powers, suchInspection Committee
as to identify persons, interview persons, conduct written interrogations, conduct on-site investigations, consult
information systems and copy the data they contain, consult information electronically, seize or seal goods or computer
systems and demand the identification of the subscriber or the normal user of an electronic communication service or of
the electronic means of communication used . Additionally, the inspector-general and the inspectors of the inspection9
committee may order the temporary suspension, restriction or freezing of the data processing activities that are the
subject of an investigation if this is necessary to avoid a serious, immediate and difficult to repair disadvantage. They can 10
also request further information . 11
The can follow-up on a complaint but also propose a settlement, formulate warnings andLitigation Chamber inter alia
reprimands, order compliance with data subjects’ requests to exercise their rights, order the suspension of cross-border
data flows and can also impose periodic penalty payments and/or administrative fines .12
Specific provisions according to Art. 85 to 87 and Art. 89 GDPR
The legislator has made use of the opportunity offered by the GDPR to provide exemptions or derogations from
certain obligations when the processing is carried out for journalistic purposes and the purposes of academic, artistic or
literary expression. For those purposes, the Data Protection Act exempts the controller not only from respecting certain
data subjects’ rights under the GDPR but also some obligations of the controller (e.g. notification in case of breaches,
transfer requirements, etc) and the investigative powers of the DPA . 13
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 113 | | | www.dlapiperdataprotection.com
The Data Protection Act also introduces two regimes for the derogations relating to the processing for archiving,
scientific or historical research purposes or statistical purposes:
general safeguards requiring among others register, information , contractual and security requirements, or14 15
compliance with a code of conduct 16
The Data Protection Act does not include other derogations relating to employment.
1. Art. 211 par. 3 Data Protection Act.
Art. 209 Data Protection Act.2.
Art. 209 par. 2 Data Protection Act.3.
Art. 220 par. 2 Data Protection Act.4.
Art. 101 DPA Act5.
Art. 221 par. 2 Data Protection Act.6.
Art. 221 par. 1 Data Protection Act.7.
Art. 222 et seq Data Protection Act.8.
Art. 66 DPA Act.9.
Art. 70 DPA Act.10.
Art. 76 DPA Act.11.
Art. 95 DPA.12.
Art. 24 Data Protection Act.13.
Art. 193 Data Protection Act.14.
Art. 194 Data Protection Act.15.
Art. 187 Data Protection Act.16.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon,
the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The Data Protection Act applies to most electronic marketing activities, as there is likely to be processing of personal data
involved (e.g. an email address is likely to be ‘personal data’ for the purposes of the Data Protection Act). The Data
Protection Act does not contain additional rules to the GDPR for the use of personal data for the purposes of electronic
marketing.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 114 | | | www.dlapiperdataprotection.com
However, specific rules are set out in the Belgian e-commerce legislation (Book XII of the Code of Economic Law)
regarding opt-in requirements:
These rules apply to all ‘electronic messages’, such as emails and text messages (Short Message Systems or SMS).
Other types of electronic communication such as instant messaging and chat may also fall within the scope of
these rules depending on the specific context. This covers not only clear promotional messages, but also
newsletters and similar communications. Indeed, any form of communication intended to directly or indirectly
promote goods, services, the image of a company, organisation or person which/who exercises a commercial,
industrial or workmanship activity or regulated profession falls within the scope of these rules.
As a general principle, the prior, free, specific and informed consent of the recipient of the message must be
obtained (‘opt-in principle’).
Two exceptions apply to the opt-in principle. No prior, free, specific and informed consent is to be obtained if:
the electronic marketing message is sent to existing customers of the service provider, or
the electronic message is sent to legal persons (e.g. to a general email address such as
info@company.com).
These exceptions are subject to compliance with strict conditions.
Furthermore, all electronic messages must contain a clear reference to the recipient’s right to opt out, including
means to exercise this right electronically.
Neither the Data protection Act nor the DPA Act include specific provisions on electronic marketing.
The Data Protection Authority has adopted specific guidelines regarding direct marketing .1
1. Data Protection Authority, Recommendation on the processing of personal data for direct marketing purposes (No. 1-2020, 17
January 2020).
ONLINE PRIVACY
Cookies
Article 5 (3) of the E-Privacy Directive has been implemented into Belgian Law by means of an amendment to article 129 of the
Belgian Electronic Communication Act.
The use and storage of cookies and similar technologies requires:
the provision of clear and comprehensive information, and
consent of the website user.
Consent is not required for cookies that are:
used for the sole purpose of carrying out the transmission of a communication over an electronic communications
network, or
strictly necessary for the provision of a service requested by the user.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 115 | | | www.dlapiperdataprotection.com
Neither the Data Protection Act nor the DPA Act include specific provisions on cookies.
The DPA has recently provided useful additional guidance related to topics such as cookie walls, social media plugins and the
validity of consent through browser settings.
Download . DLA Piper’s Guide on Cookies
Location data
As location data are personal data, the processing of these data must comply with the general rules stipulated by the GDPR, the
Data Protection Act and, depending on the context, article 129 of the Belgian Electronic Communication Act. Neither the Data
Protection Act nor the DPA Act include specific provisions on location data.
In addition, article 123 of the Belgian Electronic Communication Act stipulates that mobile network operators may process
location data of a subscriber or an end user only to the extent that the location data has been anonymised, or if the processing is
carried out in the framework of the provision of a service regarding traffic or location data.
The processing of location data in the framework of a service regarding traffic or location data is subject to strict conditions set
forth in article 123.
Traffic data
As traffic data constitute personal data, the processing of traffic data must comply with the general rules stipulated by the GDPR,
the Data Protection Act and, depending on the context, article 129 of the Belgian Electronic Communication Act. Neither the
Data Protection Act nor the DPA Act include specific provisions on traffic data.
However, in accordance with article 122 of the Belgian Electronic Communication Act, mobile network operators are required to
delete or anonymise traffic data of their users and subscribers as soon as such data is no longer necessary for the transmission of
the communication (subject to compliance with cooperation obligations with certain authorities).
Subject to compliance with specific information obligations and subject to specific restrictions, operators may process
certain traffic data for the purposes of:
invoicing and interconnection payments
marketing of the operator’s own electronic communication services or services with traffic or location data (subject to
the subscriber’s or end user’s prior consent), and
fraud detection
KEY CONTACTS
Kristof De Vulder
Partner
T +32 (0) 2 500 15 20
kristof.devulder@dlapiper.com
Heidi Waem
Counsel
T +32 2500 1614
heidi.waem@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiper.com/en/uk/insights/publications/2020/11/european-law-on-cookies/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Belgium 116 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 117 | | | www.dlapiperdataprotection.com
BENIN
Last modified 10 January 2022
LAW
The data protection regime in Benin is governed by two pieces of legislations namely the Law No. 2017-20 of April 20, 2018 on
the digital code and the Law No. 2009-09 of May 22, 2009 dealing with the Protection of Personally Identifiable Information.
The Law on the digital code deals with the collection, treatment, transmission, storage, and use of personal data by a person, the
state, local authorities, and legal persons, as well as automated processing and non-automated processing of personal data
contained in files, or any processing of data for public security, defence, research, prosecution of criminal offenses, or the security
and essential interests of the state.
By contrast, the Law on the Protection of Personally Identifiable Information relates to the digital processing of personally
identifiable information in digital files or manuals, as well as personal identification mechanisms based on nominative, personal, and
biometric information processed alongside a national ID number.
DEFINITIONS
Definition of Personal Data
The personal data is defined as any information relating to an identified or identifiable natural person. It makes a direct reference
to sound and image (Article 1 of the Digital Code).
Definition of Sensitive Personal Data
Pursuant to Article 1 of the Digital Code, the following personal data is considered ‘sensitive’ and is subject to specific processing
conditions: personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade union
membership; genetic data; and health-related data; data concerning a person’s sex life or sexual orientation, prosecution to
criminal and administrative penalties.
NATIONAL DATA PROTECTION AUTHORITY
The APDP (The Beninese data protection authority) is the regulator for data in the Republic of Benin. It is an independent and
administrative body with a legal personality as it ensures the application of the provisions of the Digital Code and the right to
privacy.
The APDP’s powers and responsibilities which include:
raising public awareness of the risks, rules, and rights surrounding the processing of personal data;
authorising or denying requests for processing;
receiving and investigating complaints about the misuse of personal data;
conducting necessary inspections regarding personal data processing, and obtaining all information and documents needed;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 118 | | | www.dlapiperdataprotection.com
informing data controllers of alleged violations of the law and issuing mandatory measures for remedying these violations;
imposing administrative sanctions on data controllers in the case of noncompliance;
informing the public prosecutor of offenses committed under the law;
keeping a public register of personal data processing operations;
issuing public opinions on the state of data protection law;
proposing amendments to simplify and improve data protection legislation, where necessary; and
cooperating with international data protection authorities to share information and assistance, as well as participating in
international negotiations.
Data controllers are required to file an annual report with the APDP concerning compliance with the processing.
REGISTRATION
The is no country-wide system of registration in the Republic of Benin. However, the law imposes an obligation of notification and
requires the controller to keep a register of processing activities carried out under its responsibility.
Pursuant to Article 405 of the Digital Code, automated or non-automated processing carried out by public or private bodies and
involving personal data must, prior to their implementation, be the subject of a prior declaration to the Authority or be entered in
a register kept by the person designated for that purpose by the controller.
All processing of personal data is subject to a reporting obligation to the Authority, except for the exemptions provided for in
Book V of the Digital Code (see Articles 408, 410, 411, and 417 of the Digital Code).
In terms of Article 435 of the Digital Code, each controller and, where applicable, the controller’s representative shall keep a
register of the processing activities carried out under their responsibility.
This register shall include all of the following information:
the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative
and the data protection officer;
the purposes of the processing;
a description of the categories of data subjects and categories of personal data;
the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third
countries or international organisations;
where applicable, transfers of personal data to a third country or to an international organisation, including the
identification of that third country or international organisation;
the time limits for the deletion of the different categories of data;
a general description of technical and organisational security measures.
Each processor and, where applicable, the processor’s representative shall also maintain a record of all categories of processing
activities performed on behalf of the controller including:
the name and contact details of the sub-processor(s) and of each controller on whose behalf the processor is acting and,
where applicable, the names and contact details of the controller’s or processor’s representative and of the data
protection officer;
the categories of processing carried out on behalf of each controller;
where applicable, transfers of personal data to a third country or to an international organisation, including the
identification of that third country or international organisation and, in the case of transfers, the documents attesting to
the existence of appropriate safeguards;
a general description of the technical and organisational security measures.
The above-mentioned records must be in written form, including electronic form.
The controller or processor and, if applicable, their representative shall make the register available to the Authority upon
request.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 119 | | | www.dlapiperdataprotection.com
The obligation to keep a register does not apply to small and medium-sized enterprises except in the following cases:
if the processing they carry out is likely to involve a risk to the rights and freedoms of the data subjects;
if it is not occasional or if it concerns in particular the special categories of data referred to in article 394 paragraph 1 of
the numerical code, or personal data relating to criminal convictions and offences.
DATA PROTECTION OFFICERS
According to the Article 430 of the Digital Code, a Data Protection Officer (DPO) must be appointed when the data controller is
a state-owned organisation or when the activities of the data controller or data processor involve monitoring individuals or
processing of sensitive data on a large scale.
Although the Digital Code does not impose a strict duty for the appointment of a DPO, organisations with a DPO are exempt
from notifying the APDP of data processing (Article 408 of the Digital Code).
COLLECTION & PROCESSING
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 383):
processed lawfully, fairly and transparently;
collected for specific, explicit, and legitimate purposes and not subsequently processed in a manner inconsistent with
those purposes;
processed appropriately, in a manner relevant and not excessive with regard to the purposes for which they are collected
and processed;
accurate and, if necessary, updated. All reasonable steps must be taken to ensure that inaccurate or incomplete data is
erased or corrected;
kept in a form that allows the identification of data subjects for a period not exceeding that necessary to achieve the
purposes for which they are collected or for which they are processed;
processed in a manner that ensures appropriate security of personal data.
Notwithstanding the above, the overriding principle governing the processing of personal data in Benin is the prior consent of the
data subject (see Articles 6 of the Data protection Law and 389 of the Digital Code.)
There are some exceptions to this principle. The prior consent of a data subject is not required when processing the data is meant
to:
comply with a legal obligation to which the controller is subject to
perform a task in the public interest or a task falling within the exercise of public authority, which is entrusted to the
controller or the third party to whom the data are shared
perform a contract to which the data subject is a party or perform pre-contractual measures taken at the request of the
data subject
protect fundamental interests or rights
perform certain activities in the framework of journalism, research or artistic or literary expression in compliance with
the ethical rules of these professions
When the processing is entrusted to a subcontractor, the controller or, where appropriate, his representative in the Republic of
Benin, must:
choose a subcontractor providing sufficient guarantees sufficient guarantees with regard to technical and organisational
security and organisational measures relating to the processing
conclude a contract with the processor either in writing or via electronic means
define among other things the responsibility of the processor with regard to the data controller and their incumbent
obligations in the privacy and security of the data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 120 | | | www.dlapiperdataprotection.com
Under the applicable data protection law in Benin, individuals possess the following rights:
right to obtain all their personal data in a clear format, as well as any available information as to their origin;
right to withdraw consent for personal data processing at any time;
the right to object, for lawful reasons, to the processing of their personal data;
right to oppose the processing of their personal data for marketing purposes;
right to rectify or erase personal data when it is deemed inaccurate or incomplete;
right to not be subject to decisions made on the sole basis of an automated processing that would produce significant risks
or harm;
right to be forgotten, or to have information made public about themselves deleted from records; and
right to obtain damages from data controllers when a breach occurs, leading to a material or non-pecuniary damage to a
person.
Right to be informed
Data controllers must provide data subjects with information describing, among other things:
the processing activities, such as data category;
the purpose of processing;
data recipients;
the existence of profiling activities; and
identification and contact details of the data controllers, or data subject rights.
Right to access
Any natural person whose personal data is processed may request from the controller information making it possible to know and
contest the processing of their personal data, communication in intelligible form of data to personal character that concerns them
as well as any available information as to their origin.
Right to rectification
Any natural person may require the data controller to correct, complete, update, block, or delete personal data concerning him,
which is inaccurate, incomplete, ambiguous, out of date, or irrelevant, as the case may be, and as soon as possible, or whose
collection, use, disclosure, or retention is prohibited. To exercise their right of rectification or deletion, the interested party sends
a request, by post or electronically, dated and signed to the controller, or his representative.
Within 45 days following receipt of the request provided for in the previous paragraph, the controller communicates the
rectifications or erasures of the data made to the data subject himself as well as to the persons to whom they are inaccurate,
incomplete, equivocal, outdated, irrelevant or whose collection, use, communication, or storage is prohibited, have been
communicated.
Right to erasure
See section above.
Right to object/opt-out
Any natural person has the right to object, at any time, for legitimate reasons, to the processing of personal data concerning him.
It has the right, on the one hand, to be informed before data concerning it is communicated for the first time to third parties or
used on behalf of third parties for purposes of prospecting, in particular commercial, charitable or political, and, on the other
hand, to be expressly offered the right to oppose, free of charge, said communication or use.
Right to data portability
Data subjects have the right to receive the personal data concerning them that they have provided to a controller, in a structured,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 121 | | | www.dlapiperdataprotection.com
commonly used and machine-readable format, and have the right to transmit this data to another controller processing without
the controller to whom the personal data has been communicated obstructing it, when:
the processing is based on consent or on a contract; and
the processing is carried out using automated processes.
When the data subject exercises his right to data portability in application of the first paragraph, he has the right to obtain that the
personal data are transmitted directly from one controller to another, when this is technically possible.
This right does not apply to processing necessary for the performance of a task of public interest or relating to the exercise of
public authority vested in the controller. The right referred to in the first paragraph does not infringe the rights and freedoms of
third parties.
TRANSFER
A personal data processor may transfer data to a foreign country if the receiving country ensures an adequate level of protection
for the privacy and human rights and freedoms of the persons concerned.
The level of protection will be assessed according to:
the data protection laws of the recipient country;
the safety measures; and
the processing characteristics (end, duration, nature, origin, destination of processed data).
It is worth noting that a country may not provide sufficient data protection, but if a recipient country is not deemed ‘safe’ in
protecting data, but a data transfer is followed by protective measures such as contractual clauses or internal rules, assent could
be provided by the APDP.
For instance, some data, such as biometric data, health data, data related to serious infringements, and data regarding crime, will
be considered as involving specific risks for human rights and freedom of individuals’ data. These data will need to be approved
under Article 41 of the Law on the Protection of Personally Identifiable Information.
SECURITY
The Law on the Digital Code adopts a proportionate, context-specific approach to security.
Article 426 of this Law states that in order to guarantee the security of personal data, the controller and/or its processor must
implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction
or accidental loss, alteration, unauthorised disclosure or access, interception, in particular where the processing involves the
transmission of data over a network, and against all other forms of unlawful processing.
These measures must ensure, taking into account the state of the art and the costs associated with their implementation, an
appropriate level of security, taking into account, on the one hand, the state of the art in the field and the costs involved in
applying these measures and, on the other hand, the nature of the data to be protected and the potential risks.
It is also the responsibility of the data controller, his representative and the sub-processor to ensure compliance with these
security measures.
The Law on the Digital Code does require controllers and processors to consider the following when assessing what might
constitute adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 122 | | | www.dlapiperdataprotection.com
ensuring the security of the processing.
No specific requirements other than those set forth in the Law.
BREACH NOTIFICATION
A data controller must notify the Commissioner of the APDP of any breach to the security safeguards of personal data, without
delay (Article 427 of The Law on the Digital Code).
The notification must, at a minimum:
describe the nature of the security breach that affected personal data including, if possible, the categories and approximate
number of individuals affected by the breach and the categories and approximate number of personal data records
affected;
provide the name and contact information of the Data Protection Officer or other point of contact from whom additional
information can be obtained;
describe the likely consequences of the security breach;
describe the steps taken or proposed to be taken by the controller to remedy the security breach, including, if applicable,
steps to mitigate any adverse consequences.
ENFORCEMENT
Not applicable.
ELECTRONIC MARKETING
The personal data Act will apply to most electronic marketing activities, as these will involve some use of personal data (eg, an
email address which includes the recipient’s name).
The general rule for electronic marketing is that it requires the express consent of the recipient (see Article 245 of the Law No.
2017-20 of April 20, 2018 on the digital code in the Republic of Benin).
Even when a marketer has the consent of a data subject, that consent can be withdrawn by the data subject under Article 334 of
the Law No. 2017-20 of April 20, 2018 on the digital code in the Republic of Benin.
The data subject has the right to object at any time to the use of his/her personal data for such marketing.
This right to object must be explicitly brought to the attention of the data controller.
However, the data controller may not respond favorably to a request to exercise the right to object if it demonstrates the
existence of legitimate reasons justifying the processing, which override the interests, fundamental rights and freedoms of the data
subject.
ONLINE PRIVACY
Not applicable.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Benin 123 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Geni & Kebe
www.dlapiperafrica.com/senegal
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dr. Sangare Mouhamoud
Associate
Geni & Kebe
T +2250779107541
m.sangare@gsklaw.sn
Dr. Francky Lukanda
Senior Associate
Geni & Kebe
T +2250584344660
f.lukanda@gsklaw.sn
https://www.dlapiperdataprotection.com
https://www.dlapiperafrica.com/senegal
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bermuda 124 | | | www.dlapiperdataprotection.com
BERMUDA
Last modified 24 January 2022
LAW
The Bermuda legislature passed a comprehensive legislative framework that specifically addresses issues of data protection in the
form of the Personal Information Protection Act 2016 (PIPA). The principal provisions of PIPA are not yet in force but are
expected to come into force in 2022.
Apart from PIPA, Bermuda law recognizes a duty of confidentiality in certain circumstances under the common law.
DEFINITIONS
Definition of use
PIPA applies to the “use” of personal information, and defines “use” as carrying out any operation on personal information,
including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting,
disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.
Definition of personal data
PIPA provides for a definition of “personal information” as meaning “any information about an identified or identifiable individual”.
At common law, information is generally to be regarded as ‘confidential’ if it has a necessary quality of confidentiality and has been
communicated or has become known in such circumstances as give rise to a reasonable expectation of confidence; for example if
obtained in connection with certain professional relationships, if obtained by improper means, or if received from another party
who is subject to a duty of confidentiality.
Definition of sensitive personal data
PIPA provides for a definition of “sensitive personal information” as meaning “any personal information relating to an individual’s
place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental
disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric
information or genetic information”.
NATIONAL DATA PROTECTION AUTHORITY
Alexander White, a US lawyer, has been appointed Privacy Commissioner with effect from 20 January 2020. He will be responsible
for setting up the Privacy Commissioner’s Office, hiring and training staff, undertaking investigations, providing reports and
developing public awareness of the rights of individuals and the obligations of organisations under PIPA.
REGISTRATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bermuda 125 | | | www.dlapiperdataprotection.com
There is no system of registration and none provided for in PIPA.
DATA PROTECTION OFFICERS
There is currently no requirement to appoint a data protection officer. Once PIPA is fully in force, organisations covered by the
legislation will be required to appoint a “privacy officer” for the purposes of compliance with PIPA.
COLLECTION & PROCESSING
Once fully in force, PIPA will regulate the collection and processing of personal information and will apply to any individual, entity
or public authority collecting, storing and using personal information in Bermuda either electronically or as part of a structured
filing system. The use to which sensitive personal information can be put by an organisation is much more restrictive.
The common law, which will continue to apply in parallel with PIPA, will in certain cases consider it a breach of confidence to
misuse or threaten to misuse confidential information. The concept of ‘misuse’ is a broad one, but will often include any
unauthorised disclosure, examination, copying or taking of confidential information. The precise scope of the term however will
depend largely on the specific circumstances, including the relevant relationship and the nature of the information.
TRANSFER
Once fully in force, PIPA will regulate the transfer of personal information to an overseas third party. The legislation provides that
the Privacy Commissioner can designate jurisdictions as providing comparable protection to Bermuda law. In other cases, the
organisation subject to PIPA will be required to employ contractual mechanisms, corporate codes of conduct or other means to
ensure that the overseas third party provides comparable protection for the personal information.
SECURITY
Once fully in force, PIPA will make provision for the implementation of proportional security safeguards against risk including loss,
unauthorised access, destruction, use, modification or disclosure. In addition, a person who misuses or divulges confidential
information (deliberately or otherwise) may be liable at common law.
BREACH NOTIFICATION
Once fully in force, PIPA will require notification of a breach of security leading to the loss or unlawful destruction or
unauthorised disclosure of, or access to, personal information which is likely to adversely affect an individual to (a) the individual
concerned; and (b) the Privacy Commissioner.
The notice to the Commissioner must describe the nature of the breach, its likely consequences for the individual concerned, and
the measures the organisation is taking to address the breach.
ENFORCEMENT
Once fully in force, PIPA will make provision for investigations and inquiries by the Privacy Commissioner and for a range of
remedial orders that may be imposed by the Commissioner. It also provides for a claim for compensation for financial loss or
emotional distress for failure to comply with the legislation (subject to a reasonable care defence). In addition, PIPA makes
provision for criminal offences and penalties (including imprisonment) for misuse of personal information. In addition, a breach of
the common law duty of confidentiality may give rise to a claim for, among other things, damages and/or an injunction. These
remedies are to be sought through, and enforced by, the Bermuda courts.
An individual convicted of an offence under PIPA will be liable to a fine of up to BMD 25,000 and/or to imprisonment for up to
two years. An organisation convicted of an offence under PIPA will be liable to a fine of up to BMD 250,000. Proceedings can be
brought against company directors and other officers in a personal capacity.
ELECTRONIC MARKETING
The Electronic Transactions Act 1999 provided that the Minister responsible for electronic commerce had the power to issue a
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bermuda 126 | | | www.dlapiperdataprotection.com
standard to apply to intermediaries or e-commerce service providers and such a standard was issued by the Minister on 5 May
2000 and came into force on 3 July 2000 (Standard). The definition of “e-commerce service provider” is “a person who uses
electronic means in providing goods, services or information” while an “intermediary” (with respect to an electronic record)
means “a person who, on behalf of another person, sends, receives or stores that electronic record or provides other services
with respect to that electronic record”. The Standard set out certain “Safe Harbour Guidelines” which included certain privacy
requirements and the prohibition on the sale or transfer of personal data or business records of customers to another person for
the purposes of sending bulk, unsolicited electronic records.
ONLINE PRIVACY
Once fully in force, PIPA will make special provision based on parental consent for certain uses of personal information about a
child under the age of 14. Subject to this, there are no specific restrictions addressing online privacy of confidential information
beyond those generally applicable to the use of confidential information.
KEY CONTACTS
Carey Olsen
www.careyolsen.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Michael Hanson
Managing Partner
Carey Olsen
T +1 441 542 4501
michael.hanson@careyolsen.com
Keith Robinson
Partner
Carey Olsen
T +1 441 542 4502
keith.robinson@careyolsen.com
https://www.dlapiperdataprotection.com
https://www.careyolsen.com/
https://www.dlapiperdataprotection.com/scorebox/
https://www.careyolsen.com/
https://www.careyolsen.com/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bolivia 127 | | | www.dlapiperdataprotection.com
BOLIVIA
Last modified 24 January 2022
LAW
Bill of Personal Data Protection;
The Political Constitution of the Plurinational State of Bolivia, in Article Nº130.
Any individual or collective person who believes to be unduly or illegally prevented from knowing, objecting or obtaining the
deletion or rectification of the data registered by any physical, electronic means, magnetic or computer, in public or private files or
databases, or that affect their fundamental right to personal or family privacy, or in their own image, honor and reputation, may file
a Private Protection Action.
DEFINITIONS
Definition of personal data
Any information about a natural person identified or identifiable, expressed by numbers, alphabetic letters, graphics, photographs,
alphanumeric symbols, acoustic forms or any other type of data. It is considered that a person is identified when his identity can be
determined directly or indirectly as long as this do not require terms or disproportionate activities.
Definition of sensitive personal data
Data that refers to the intimate sphere of the individual, or whose inappropriate use can cause discrimination of any type or high
risk to the particular individual.
NATIONAL DATA PROTECTION AUTHORITY
The Personal Data Authority, is the Agency of the electronic government and information technologies and communication
(AGETIC).
REGISTRATION
It is not established in the Bill of Personal Data Protection, in a prescriptive manner, however, it establishes that personal data can
only be processed with the , unless it is by court order issued for reasons of public interest. It is not yetconsent of its owner
established whether entities or persons interested in the personal data of a third party must request authorization from the
Personal Data Protection Authority.
DATA PROTECTION OFFICERS
The President of the Personal Data Authority is the principal officer and has an Executive Council with three members:
the general Director of the electronic government and information technologies and communication Agency; and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bolivia 128 | | | www.dlapiperdataprotection.com
two designated members from the Ejecutive Council.
The Ejecutive Council of the Personal Data Protection Authority will be assisted by a Consultive Council integrated by six
members:
a person with human rights experience;
a judicial organ representative;
an electoral organ representative;
a Public Ministry representative;
an academic area representative; and
a private sector representative.
COLLECTION & PROCESSING
Under the legitimation principle, the person responsible within the Personal Data Protection Authority may only process personal
data when the owner grants his consent for one or more specific purposes, when necessary for the fulfilment of a court order,
for the defence or recognition of the rights of the holder/owner before a public authority, to protect the vital interests of the
holder/owner or of another natural person; among other legitimate and informed reasons.
TRANSFER
Nothing in the Bill of Personal Data Protection is established concerning transfer.
SECURITY
The person responsible for the personal data bank must adopt technical, organizational and legal measures that guarantee its
security and prevents its alteration, loss, treatment or unauthorized access.
The requirements and conditions that personal data banks must meet regarding security are established by the National Authority
for the Protection of Personal Data, except for the existence of special provisions contained in other laws.
The processing of personal data in data banks that do not meet the requirements and security conditions is prohibited.
BREACH NOTIFICATION
When the person in charge is aware of a breach of security of personal data that occurs at any stage of the treatment, understood
as any damage, loss, alteration, destruction, access, and in general, any illegal or unauthorized use of personal data even when it
occurs accidentally, it will notify the control authority and the affected owners of such suffering immediately.
The foregoing will not be applicable when the person in charge can prove, according to the principle of proactive responsibility,
the impossibility of the security breach that has occurred, or, which does not represent a risk to the rights and freedoms of the
owners involved.
The notification made by the person responsible to the affected owners will be written in a clear and simple language.
The notification should contain at least the following information:
the nature of the incident;
the Personal data compromised;
coercive actions carried out immediately;
recommendations to the holder about the measures that can help protect their interests; and
the means available to the holder to obtain more information.
The person responsible shall document any breach of the security of the data that occurred at any stage of the treatment,
identifying, but not limited to, the date on which they discovered the reason for the breach, the related facts, their effects and the
corrective measures implemented immediately and definitively, which will be available to the supervisory authority.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bolivia 129 | | | www.dlapiperdataprotection.com
The Regulation on the Right to Protection of Personal Data contemplates the effects of the notifications of security breaches made
by the person in charge of the Control Authority in regard to the procedures, form and conditions of its intervention in order to
safeguard the interests, rights and freedoms of the affected owners.
There is no mandatory breach notification requirement under the Data Protection Law.
ENFORCEMENT
The competent authority for the enforcement of Data Protection Law is the Personal Data Authority, the Agency of the
electronic government and information technologies and communication (AGETIC). However, considering that Authority is not
yet created, the level of enforcement may be distributed to other legislative organs in the future.
ELECTRONIC MARKETING
There is nothing legally established in Bolivia concerning electronic marketing.
ONLINE PRIVACY
There is nothing established about online privacy, or cookies, or location data.
KEY CONTACTS
Guevara & Gutierrez
gg-lex.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Marcos Mercado Delgadillo
Guevara & Gutierrez
mmercado@gg-lex.com
Jorge Luis Inchauste Comboni
Guevara & Gutierrez
jinchauste@gg-lex.com
https://www.dlapiperdataprotection.com
http://gg-lex.com/
https://www.dlapiperdataprotection.com/scorebox/
http://gg-lex.com/
http://gg-lex.com/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 130 | | | www.dlapiperdataprotection.com
BONAIRE, SINT EUSTATIUS AND SABA
Last modified 7 January 2022
LAW
Personal Data Protection Act BES (“Personal Data Protection Act BES”);(Wet bescherming persoonsgegevens BES)
General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on
May 25, 2018.
DEFINITIONS
Definition of Personal Data
Personal Data Protection Act BES
Article 1 paragraph 2 of the Personal Data Protection Act BES stipulates personal data as any data concerning an identified or
identifiable natural person.
GDPR
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one
who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
Definition of Sensitive Personal Data
Personal Data Protection Act BES
A person’s religion or belief, race, political views, health, sexual life as well as personal data concerning membership of a trade
union.
GDPR
Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic
data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
NATIONAL DATA PROTECTION AUTHORITY
Personal Data Protection Act BES
The Personal Data Protection Committee as referred to in article 44 of Personal Data Protection Act BES.
GDPR
An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The
authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of
natural persons in relation to processing and to facilitate the free flow of personal data within the EU.
REGISTRATION
Personal Data Protection Act BES
No registration required.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 131 | | | www.dlapiperdataprotection.com
GDPR
Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data
processing activities carried out by the company.
DATA PROTECTION OFFICERS
Personal Data Protection Act BES
Pursuant to article 13 of the Personal Data Protection Act BES the responsible party shall execute appropriate technical and
organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee
an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks
associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing
unnecessary gathering and further processing of personal data.
Besides the measures above, the Personal Data Protection Act BES does not contain any clauses on any type of registration, filings
of documents to any public agency or having a mandatory data protection officer in place.
GDPR
The appointment of a data protection officer under the GDPR is only mandatory in three situations:
When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal
convictions.
COLLECTION & PROCESSING
Personal Data Protection Act BES
Collecting and processing: any act or set of acts relating to personal data, including in any case the collection, recording,
organization, storage, updating, modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other
form of making available, bringing together , as well as data blocking, erasure or destruction of data.
GDPR
Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain
purposes, like a website that markets to users based on their online behaviour.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the
controller. Processors act on behalf of the relevant controller and under their authority.
TRANSFER
Personal Data Protection Act BES
Article 42 of Personal Data Protection Act BES stipulates that personal data that is subject to processing or that are intended to
be processed after its transfer may only be transferred to a country outside the European Union if, without prejudice to
compliance with the law, that country guarantees an adequate level of protection.
GDPR
The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the
rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions
applies.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 132 | | | www.dlapiperdataprotection.com
SECURITY
Personal Data Protection Act BES
Pursuant to article 13 of the Personal Data Protection Act BES the responsible party shall execute appropriate technical and
organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee
an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks
associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing
unnecessary gathering and further processing of personal data.
GDPR
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as
well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor
shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32
GDPR).
BREACH NOTIFICATION
Personal Data Protection Act BES
Contains no specific clauses.
GDPR
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after
having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55
GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
ENFORCEMENT
Personal Data Protection Act BES
Pursuant to the Personal Data Protection Act BES the committee is authorized to impose an order under administrative coercion
to enforce the obligations laid down by or pursuant to the Personal Data Protection Act BES.
GDPR
The GDPR holds a variety of potential penalties for businesses.
For example, article 77 of GDPR states that:
“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her
habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data
relating him or her infringes this Regulation.”
Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the
data subject has his or her habitual residence.”
Penalties
Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in article 82 of the Regulation,
for the damage they’ve“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation”
suffered.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 133 | | | www.dlapiperdataprotection.com
Fines
Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the
level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur
administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is
greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover).
Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional
penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only
guidelines in article 84 of GDPR are that and that “Such penalties shall be effective, proportionate and dissuasive” “Each Member State
shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”
ELECTRONIC MARKETING
Personal Data Protection Act BES
N/A.
GDPR
Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.
Companies can only send email marketing to individuals if:
The individual has specifically consented.
They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.
ONLINE PRIVACY
Personal Data Protection Act BES
Contains no specific clauses.
GDPR
Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do
have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.
Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a
person.
If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is
processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from
others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address
etc. are not known.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bonaire, Sint Eustatius and Saba 134 | | | www.dlapiperdataprotection.com
KEY CONTACTS
HBN Law & Tax
hbnlawtax.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Maarten Willems
Senior Associate
HBN Law & Tax
T +297 588 6060
maarten.willems@hbnlawtax.com
Misha Bemer
Partner
HBN Law & Tax
T +297 588 6060
misha.bemer@hbnlawtax.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bosnia and Herzegovina 135 | | | www.dlapiperdataprotection.com
BOSNIA AND HERZEGOVINA
Last modified 12 January 2021
LAW
The Law on Protection of Personal Data (‘Official Gazette of BIH’, nos. 49/06, 76/11 and 89/11) (DP Law) is the governing law
regulating data protection issues in Bosnia and Herzegovina (BiH). The DP Law came into force on July 4, 2006 and was amended
on October 3, 2011.
Due to the deficiencies and non-alignment of the DP Law with the GDPR, in 2018, the competent authorities initiated the
procedure for adoption of a new GDPR compliant data protection law in BiH. According to the publicly available information the
draft of the new data protection law (Draft Data Protection Law), was forwarded to the BiH Ministry of Civil Affairs and the
adoption procedure before the BiH Parliament should have been initiated. However, due to the complex political situation as well
as the Covid-19 pandemic, the Draft Data Protection Law is not adopted to date. However, we expect the Draft Data Protection
Law to be adopted in its current text within 2021.
DEFINITIONS
Definition of personal data
The DP Law defines personal data as any information relating to an identified or identifiable natural person. Data subjects are
natural persons whose identity can be determined or identified, directly or indirectly, in particular by reference to a personal
identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social
identity.
Definition of sensitive personal data
The DP Law defines sensitive personal data as any data relating to any of the following:
Racial, national or ethnic origin
Political opinion, party affiliation, or trade union affiliation
Religious, philosophical or other belief
Health
Genetic code
Sexual life
Criminal convictions
Biometric data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bosnia and Herzegovina 136 | | | www.dlapiperdataprotection.com
Definitions of sensitive personal data stipulated by Draft Data Protection Law correspond to the definitions prescribed by GDPR.
NATIONAL DATA PROTECTION AUTHORITY
The Personal Data Protection Agency (DPA) is the national data protection authority in BiH. The DPA is seated in
Dubrovaka 6
Sarajevo
www.azlp.gov.ba
The DPA remains the national data protection authority under Draft Data Protection Law.
REGISTRATION
Each data controller (defined as a person or legal entity which processes personal data) must provide the DPA with specific
information on the database containing personal data (“Database”) established and maintained by the controller. The DPA
maintains a publicly available register of data controllers and Databases.
The Database’s registration includes two phases:
First, the controller must register as a data controller (this registration as a controller is to be performed only once).
Second, the controller must report to the Database’s establishment, which has to be done within 14 days.
Registration of the Database is made by submitting the application in the prescribed form to the DPA. The DPA form includes
information regarding:
Data controller
Name
Address of its registered seat
The Database itself
Processing purpose
Legal ground for its establishment
Identification of exact processing activities
Types of processed data
Categories of data subjects, and
Transfer of data abroad
If there is a subsequent change in the registered data, for example changing initial processing activities, the change needs to be
reported to the DPA within 14 days from the date the change occurred.
Unlike the DP Law, the Draft Data Protection Law foresees the obligation of data controllers and data processors to keep records
of their data processing activities identically as the GDPR, however it does not oblige data controllers to register their data
processing activities/databases with the Agency.
DATA PROTECTION OFFICERS
There is no statutory obligation that the entity which processes personal data has a data protection officer. The Rules on the
https://www.dlapiperdataprotection.com
http://www.azlp.gov.ba/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bosnia and Herzegovina 137 | | | www.dlapiperdataprotection.com
Manner of Keeping and Special Measures of Personal Data Technical Protection (Official Gazette of BiH no. 67/09) (Rules)
stipulate that a controller can have an administrator of the Database. Such administrator is a natural person authorized and
responsible for managing the Database and ensuring privacy and protection of personal data processing, in particular regarding
implementation of security measures, storage and protection of data.
Unlike DP Law, the Draft Data Protection foresees the obligation of data controller and processor to ensure properly and timely
involvement of the data protection officer in all issues related to the protection of personal data. Position and tasks of data
protection officer envisaged by Draft Data Protection Law correspond to those prescribed by GDPR.
COLLECTION & PROCESSING
Collection and processing of personal data is permissible if carried out pursuant to the data subject’s consent and in compliance
with the basic principles of personal data protection.
The form of the data subject’s consent depends on the type of personal data collected and processed. While the collection and
processing of sensitive personal data requires explicit written consent from the data subject, the consent for the collection and
processing of personal data falling within a category of general personal data does not have to be in writing. However, at the
request of the competent authority, the controller has to be able to prove, at any time, the existence of a data subject’s consent
for processing of both personal and sensitive personal data. Therefore, having a written consent for collection of any personal data
is advisable. When required, written consent must contain at minimum elements prescribed by the DP law.
Apart from the consent, there are also other conditions which must be met for the collection and processing to be regarded as
legitimate, including:
Processing must be done in a fair and lawful way
The type and scope of processed data must be proportionate to the respective purpose
Other principles regarding the legitimate reasons for personal data processing
The DP Law provides an exception when a data subject’s personal data may be processed without the data subject’s consent. This
is the case where the processing is necessary for the fulfillment of a data controller’s statutory obligations or for preparation or
realization of an agreement concluded between a data controller and a data subject (Exceptional Cases). These conditions are
considered the basic principles of personal data protection and are applicable to each case of personal data processing.
The legal grounds as well as the data processing requirements envisaged by the Draft Data Protection Law fully correspond to
those envisaged by the GDPR.
TRANSFER
Under the transfer rules set out in the DP Law, processed personal data may be transferred to countries where an adequate level
of personal data protection is ensured. In that regard, preferential status is given to the member states of the Council of Europe
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (“Convention”), as members of
the Convention ensure an adequate level of personal data protection.
Personal data transfer to countries that do not provide for an adequate level of personal data protection is allowed in certain
cases stipulated by the DP Law, for example:
When the data subject consented to the transfer and was made aware of possible consequences of such transfer
When it is required for the purpose of fulfilling the contract or legal claim
When it is required for the protection of public interest
In addition, the DPA may exceptionally approve the transfer to a country that does not ensure adequate an level of personal data
protection if the controller in the country where the data is to be transferred can provide for sufficient guarantees in regard to
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bosnia and Herzegovina 138 | | | www.dlapiperdataprotection.com
the protection of privacy and fundamental rights and freedoms of the data subject.
The Draft Data Protection Law prescribes a set of mechanisms based on which a legitimate transfer of data out of BiH is possible.
This means that the Draft Data Protection Law tends, the same as the GDPR, to enable legitimate transfer of personal data
whenever there are some safeguards that transferred data will be processed in line with the law.
Aforementioned means the following:
It should firstly be checked whether a particular country to which the data is to be transferred is regarded as a country
with an adequate data protection system (“Adequate Country”)
If a country to which the data is to be transferred from BiH is the Adequate Country or if there is a data transfer related
international treaty entered into between BiH and that country, a transfer is possible without any approval of the Agency
(“Transfer Approval”)
On the other hand, if a country to which the data is to be transferred is not the Adequate Country, a transfer is still
possible without the Transfer Approval if the adequate data protection measures are undertaken (e.g., if appropriate
standard contractual clauses have been entered into between a data exporter and a data importer) (“Adequate
Safeguards”)
However, even if there are no Adequate Safeguards, there is still a possibility for transferring the data without the
Transfer Approval. Such possibility exists in so-called special situations, explicitly prescribed by the Draft Data Protection
Law, the same as under the GDPR (e.g., a data subject has consented to a particular transfer, a transfer is necessary for
the realization of an agreement between a data subject and data controller, etc.)
Finally, even if none of the aforementioned special situations is applicable, a data transfer is still allowed without the
Transfer Approval if certain conditions (linked to a data controller’s legitimate interest) explicitly prescribed by the Draft
Data Protection Law are cumulatively fulfilled.
SECURITY
The DP Law requires data controllers and processors to:
Take care of data security and to undertake all technical and organizational measures
Undertake measures against unauthorized or accidental access to personal data, their alteration, destruction or loss,
unauthorized transfer, other forms of illegal data processing, as well as measures against misuse of personal data
Adopt a personal data security plan (“Security Plan”) which specifies technical and organizational measures for the security
of personal data
As provided by the Rules (as defined in the section “Data Protection Officers”), the Security Plan includes the categories of
processed data and the list of instruments for protection of the data to ensure confidentiality, integrity, availability, authenticity,
possibility of revision and transparency of the personal data.
The Rules prescribe that the controller is required to undertake more stringent technical and organizational measures when
processing sensitive personal data. Such measures aim at enabling recognition of each authorized access to the information system,
operation with the data during the controller’s regular working hours and cryptographic protection of the data transmission via
telecommunications systems with appropriate software and technical measures.
The Rules also closely regulate the manner of personal data keeping and personal data protection in automatic processing.
Security measures envisaged by Draft Data Protection Law correspond to the measures prescribed by GDPR.
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bosnia and Herzegovina 139 | | | www.dlapiperdataprotection.com
The DP Law does not impose data security breach notification duty on the controller. However, the Rules do impose a duty on
the Database’s administrator, processor and performer to inform the controller on any attempt of unauthorized access to
information system for the Database’s management.
However, the regulations issued by the Communication Regulatory Agency (RAK) should be considered. The Regulation on
Carrying out the Activities of the Publicly Available Electronic Communication Networks (‘Official Gazette of BiH’ no. 66/12)
(Regulation A) stipulates that the operator of publicly available electronic communication networks (Operator) is required to
inform RAK about its activities, operations and other applicable information required for RAK’s regulatory competences. Since
RAK’s Regulation on Conditions for Providing the Telecommunications Services and Relation with End Users (‘Official Gazette of
BiH’ no. 28/13) (Regulation B) prescribes for the Operator’s obligation to undertake such methods which will protect the privacy
of users and others, in a manner that will ensure the integrity and confidentiality of data, it can be concluded that the Operator is
required to notify RAK of any breach of security and integrity of public telecommunication services that resulted in violation of
protection of personal data or privacy of the respective services’ s users.
When it comes to the notification duty towards the users, the Regulation B obliges the Operator to inform the users adequately (
, in user agreement, in its terms and conditions or in the appropriate technical way) about the possibility of privacy oreg
telecommunication facilities violations.
Pursuant to the Draft Data Protection Law in case of a personal data breach the controller is obliged to undue delay and where
feasible not later than 72 hours after having become aware of it, which fully correspond to the obligation prescribed by GDPR.
ENFORCEMENT
The DPA enforces the DP Law. The DPA is authorized and obliged to monitor implementation of the DP Law, both , andex officio
upon a third-party complaint. If the DPA finds that a particular person or entity processing personal data acted in violation of data
processing rules, it may request that the controller discontinue such processing and order specific measures to be carried out
without delay.
When acting upon the complaints, the DPA may also issue a decision by which it can order blocking, erasing or destroying of data,
adjustment or amendment of data, temporary or permanent ban of processing, issue warning or reprimand to the controller. The
decision of the DPA may not be appealed; however, a party may initiate administrative dispute before the Court of BiH.
The DPA can initiate a misdemeanor proceeding against the respective data controller before the competent court, depending on
the gravity of the particular misconduct and the data controller’s behavior with respect to the same. The offenses and sanctions
are explicitly prescribed by the DP Law, which includes monetary fines for a controller in the amount between €2,550 and
€51,100, as well as for the controller’s authorized representative in the amount between €100 and €7,700.
The Draft Data Protection Law, although still not as strict as the GDPR, foresees fines which are significantly higher than the ones
foreseen by the Current Data Protection Law. Specifically, the Draft Data Protection Law introduces fines in the amount of up to
BAM 200,000 (approx. EUR 100,000) or 4% of the total worldwide annual turnover of the preceding financial year (whichever is
higher).
Breach of personal data protection regulations represents a criminal offense of unauthorized collection of personal data by all
criminal codes applicable in BiH (Criminal Code of BiH, Criminal Code of the Republic of , Criminal Code of the FederationSrpska
of BiH and Crimes Code of ). Prescribed sanctions are monetary fines (in amount to be determined by the court) orBrko Distrikt
imprisonment up to six (6) months (Criminal Code of BiH; Criminal Code of the Federation of BiH; Criminal Code of the Brko
) or up to one (1) year (Criminal Code of the Republic of ).Distrikt Srpska
ELECTRONIC MARKETING
Although electronic marketing is not governed by the DP Law, the respective law regulates protection of personal data used in
direct marketing. In that regard, the controller is not allowed to disclose personal data to a third party without the data subject’s
consent. However, when that is necessary for the protection of the controller’s rights and interests and when it is not in
contradiction with the data subject’s right to the protection of personal privacy and personal life, the personal data may be used
for direct marketing purposes without consent. The DPA is of the opinion that previous provision could be used only in explicit
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bosnia and Herzegovina 140 | | | www.dlapiperdataprotection.com
cases, when the controller is offering products or services to regular client in order to limit possible future damages for which he
could be held responsible.
Under Regulation B, the Operator is prohibited from using user personal data for purposes of its business or other promotions,
unless it obtains explicit consent from the user to whom such data relates.
ONLINE PRIVACY
The general data protection rules, as introduced by the DP Law, are relevant for online privacy as well, as there are no specific
regulations that explicitly govern online privacy. This includes obligation to act in accordance with the basic principles of personal
data protection set out in the DP Law as well as acting on the basis of the data subject’s informative consent.
KEY CONTACTS
Karanovic & Nikolic
www.karanovic-nikolic.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Nihad Sijercic
Attorney-at-law in cooperation with Karanovic & Nikolic
T +387 33 844 000
nihad.sijercic@karanovicpartners.com
Amina Dugum
Attorney-at-law in cooperation with Karanovic & Nikolic
T +387 33 844 000
amina.djugum@karanovicpartners.com
https://www.dlapiperdataprotection.com
http://www.karanovic-nikolic.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 141 | | | www.dlapiperdataprotection.com
BOTSWANA
Last modified 10 December 2021
LAW
The Data Protection Act – Act No. 32 of 2018, (“the DPA”) is an Act which was assented to by Parliament on the 3rd August
2018 and came into effect on the 15th of October 2021.
The DPA regulates the protection of personal data and ensure that the privacy of individuals in relation to their personal data is
maintained.
DEFINITIONS
Definition of personal data
Under the DPA, personal data means information relating to an identified or identifiable individual, which the individual can be
identified directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the
individual’s physical, physiological, mental, economic, cultural or social identity.
Definition of sensitive personal data
Sensitive Personal Data is defined to mean personal data which reveals a data subject’s:
racial or ethnic origin;
political opinions;
religious beliefs or philosophical beliefs;
membership of a trade union;
physical or mental health or condition;
sexual life;
affiliation; or
personal financial information,
and includes:
any commission or alleged commission by him or her of any offence;
any proceedings for any offence committed or alleged to have been committed by him or her, the disposal of such
proceedings, or the sentence of any Court in such proceedings; and
genetic data, biometric data and the personal data of minors.
NATIONAL DATA PROTECTION AUTHORITY
A body known as the Information and Data Protection Commission (“the Commission”) as established under the DPA is yet to be
formed and will be the designated body tasked with data protection and ensuring the effective application of, and compliance with
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 142 | | | www.dlapiperdataprotection.com
the DPA, and in particular, the right to protection of personal data, access rectification, objection and cancellation of such data.
REGISTRATION
The Commission will be responsible for creating and maintaining a public register of all data controllers. There is, however, no
prescribed method of registration.
A data controller is a person who alone or jointly with others determines the purpose and means of which personal data is to be
processed, regardless of whether or not such data is processed by such person or agent on that person’s behalf. Additionally, a
data controller may engage a data processor, being a person who processes data on behalf of the data controller.
In terms of the DPA, data controllers are required to notify the Commissioner of the Commission (“the Commissioner”) before
carrying out any wholly or partially automated processing operation or set of such operations which are intended to serve a single
purpose or serve several related purposes. Notification is not required where a data protection representative has been
appointed.
The notification should include the following details:
The name and address of the data controller and of its representative;
The purpose of the processing;
A description of the data subjects and of the personal data relating to the data subject;
The recipients to whom personal data can be disclosed to;
Proposed transfers of personal data to a third country; and
A general description to allow the Commission to assess the appropriateness of the security measures.
The requirement for notification does not apply to operations which have the sole purpose of keeping a register that is intended
to provide information to the public by virtue of any law, and for which the register is open for public inspection. In addition, the
notification will not be required where a data controller has appointed a data protection representative.
Data controllers are further required to immediately notify the Commissioner of any breach to the technical or organizational
security safeguards for processing of personal data.
The Commission will have the authority to grant an exemption for notification.
DATA PROTECTION OFFICERS
A data controller has the option to appoint a data protection representative who holds the requisite qualifications, their role being
to independently ensure that personal data is processed in a correct and lawful manner, and in accordance with good practice.
The data protection representative is responsible for keeping a list of the processing carried out and the list should be immediately
accessible to any person applying for access. Upon identifying any inadequacies, the data protection representative should bring
such inadequacies to the attention of the data controller and assist in ensuring that the data subject’s rights under the DPA are
protected.
Where a data protection representative has been appointed, the notification to the Commissioner regarding wholly or partially
automated processing operations is not required.
If a data protection representative has reason to suspect that the data controller is contravening the rules applicable for
processing personal data, and if rectification is not implemented as soon as practicable after the contravention is pointed out, the
data protection representative must then notify the Commissioner.
The appointment and removal of a data protection representative must be notified to the Commissioner.
COLLECTION & PROCESSING
Processing means any operation or a set of operations which is taken in regard to personal data, whether or not it occurs by
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 143 | | | www.dlapiperdataprotection.com
automatic means, and includes the collection, recording, organization, storage, alteration, retrieval gathering, use, disclosure by
transmission, dissemination or otherwise making information available, alignment, or combination, blocking, erasure or destruction
of such data.
Processing personal data
Prior to undertaking the processing of personal data, data controllers are generally required to obtain written consent from the
data subjects. Consent is not required in instances authorised by any written law. In addition, a data subject who has given consent
for processing of personal data may at any time, in writing, revoke the consent for legitimate, reasonable, and compelling reasons
at that particular time.
Alternatively to where written consent is obtained, personal data may further be processed where the processing is necessary
for:
the performance of a contract to which the data subject is party or in order to take steps at the request of the data
subject entering into a contract;
compliance with a legal obligation to which the data controller is subject;
protecting the vital interests of the data subject;
for performing an activity that is carried out in the public interest or in the exercise of an official authorization vested in
the data controller, or of a third party to whom the data is disclosed; or
for a purpose that concerns a legitimate interest of the data controller, or of a third party to whom personal data is
provided, except where such interest is overridden by the interest to protect the fundamental rights and freedoms of the
data subject and in particular, the right to privacy.
Where personal data is processed for historical, statistical or scientific purposes, the data controller must ensure that there are
appropriate security safeguards in place in instances where the personal data may be kept for a period longer than necessary,
having regard to the purpose for which it is processed or the personal data kept is not used for any decision concerning the data
subject.
In the event that processing is for direct marketing, the data controller must, at no cost, inform the data subject of the right to
oppose the processing. Processing for such purposes will be prohibited where the data subject has given a notice of objection to
the processing of the personal data. A data controller who processes the data despite the objection made by the data subject
commits an offence which is punishable by fine not exceeding BWP500 000 or to imprisonment for a term not exceeding nine
years, or to both.
Processing sensitive personal data
Processing sensitive personal data is heavily restricted thereby requiring the data controller to ensure that appropriate security
safeguards have been adopted. Sensitive personal data is generally be prohibited save for where:
the processing is specifically provided for under the DPA;
the data subject has given consent in writing;
the data subject has made the data public;
the processing is necessary for national security, for the purposes of exercising or performing any right or obligation
which is conferred or imposed by law on the data controller in connection with employment, or where the processing is
authorized by any other written law for any reason of substantial interest to the public; or
the processing is necessary to protect the vital interest of a data subject and another person in a case where consent
cannot be given by or on behalf of the data subject, the data controller cannot be reasonably expected to obtain consent
or the consent by or on behalf of the data subject has been unreasonably withheld.
Bodies or entities which have political, philosophical, religious or trade union objects are allowed to process sensitive personal
data relating to the political, philosophical, religious or trade union objects concerning the members of that body or entity, or any
other person who the body or entity regularly exchanges information with. Such processing by an entity or body is allowed if it is
done in the course of its legitimate activities and with appropriate guarantees. It should also be noted that this sensitive personal
data may be provided to a third party only where the data subject has given written consent.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 144 | | | www.dlapiperdataprotection.com
Furthermore, processing of sensitive personal data for health or medical purposes is allowed where the processing is done by a
health professional and is necessary for preventative medicine as well as protection of public health, medical diagnosis, health care
or the management of health and hospital care services.
Processing sensitive personal data is also allowed where it is for research, scientific and statistics purposes so long as the
processing is compatible with specified, explicitly stated and legitimate purposes. In the case of research and scientific purposes,
the Commissioner must have approved the processing on the advice of a committee responsible for research and scientific ethics,
whilst in the case of statistics, the processing must be necessary for the purposes provided under the Statistics Act (Cap 17:01).
There is a general prohibition against processing genetic and biometric data for what it reveals or contains. The prohibition does
not apply where such data is processed in accordance with the general requirements for processing sensitive personal data as
outlined above. Where genetic and biometric data is processed for medicinal purposes and the consent of the data subject has
been granted, the processing must only be effected where a unique patient identification number is given to the data subject. This
patient number must be different from any other identification number possessed by the data subject.
Sensitive personal data may also be processed for legal purposes where it is necessary in connection with any legal proceedings
including prospective proceedings, for the purposes of obtaining legal advice, for establishing, exercising or defending legal rights,
or for the administration of justice.
With respect to a data subject’s identity card number, processing in the absence of the data subject’s consent is only allowed
where the processing is clearly justifiable having regard to the purpose of the processing, the importance of a secure identification
or any valid reason as may be prescribed.
During the processing operation where personal data is obtained directly from the data subject, the data controllers and data
processors are required to furnish to the data subject the following information:
The identity and habitual residence or principal place of business;
The purpose of the processing;
The existence of the right to object to the intended processing if the processing is for purposes of direct marketing;
Any other additional information if it will ensure fair processing, which may include the recipient or category of recipients,
whether the reply to any question posed is obligatory or voluntary and the possible consequences of failure to reply as
well as the existence of the right to access, rectify, delete the data concerning the data subject; or
Any other information necessary for the specific nature of the processing, to guarantee fair processing in respect of the
data subject.
A person who has access to personal data and is acting under the authorisation of the data controller or the data processor must
process personal data only as instructed and without prejudice to any duty or restriction imposed by law. A contravention of this
amounts to an offence which is punishable by a fine not exceeding BWP20 000 or to imprisonment for a term not exceeding three
years, or to both.
Where personal data is processed without the required authorisation, such processing amounts to an offence which is punishable
by a fine not exceeding BWP100 000 or to imprisonment for a term not exceeding three years, or to both.
It is mandatory to safeguard the security of personal data by taking appropriate technical and organisational security measures
necessary to protect the personal data from negligent or unauthorised destruction, negligent loss or the alteration, unauthorised
access and any other unauthorised processing of personal data.
When taking appropriate technical and organisational security measures necessary to protect the personal data, the person doing
so must ensure an appropriate level of security by taking into account:
technological developments of processing personal data, and the costs for implementing the security measures; and
the nature of the personal data to be protected and the potential risks involved.
Additionally, when outsourcing processing of personal data, the data processor to be chosen must be one who gives sufficient
guarantees regarding the technical and organisational security measures in place for the processing to be done. The data controller
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 145 | | | www.dlapiperdataprotection.com
or processer who outsources must ensure that the said measures are complied with.
TRANSFER
The transfer of personal data from Botswana to another country is prohibited save for transborder transfers to countries that
have been designated by the Minister through an Order published in the Government Gazette.
Transborder transfers of personal data require prior authorisation to be granted by the Commissioner so as to assess and ensure
that adequate levels of protection are provided by the country receiving the personal data. The assessment is in light of all the
circumstances surrounding the data transfer operation and particular consideration is given to:
the nature of the data;
the purpose and duration of the proposed processing operation;
the country of origin and the country of final destination;
the rule of law, both general and sectoral, in force in the third country in question; and
the professional rules and security safeguards which are complied with in that country.
Notwithstanding the above, transborder transfers to countries which do not offer an adequate level of protection are allowed
where the data subject consents to the proposed transfer or, where the transfer is:
necessary for the performance of a contract between the data subject and the data controller, or the implementation of
pre contractual measures taken in response to the data subject’s request;
necessary for the performance or conclusion of a contract in the interests of the data subject between the data controller
and a third party;
necessary for the public interest, or for the establishment, exercise or defence of a legal claim;
necessary to protect the vital interests of the data subject; or
made from a register that is intended to provide the public with information and is open to public inspection.
Regardless of the above mentioned restrictions, transborder flow of personal data to a country without adequate levels of
protection may be authorised where the data controller provides adequate safeguards which may be by means of appropriate
contractual provisions, with respect to the protection of the privacy and fundamental rights and freedoms of individuals.
SECURITY
Data controllers are required to take appropriate technical and organisational security measures necessary to protect personal
data from negligent or unauthorised destruction, negligent loss, as well as unauthorised access, alteration and processing of
personal data.
The measures are influenced by technological developments of processing personal data and the costs for implementing the
security measures, as well as the nature of the personal data and the potential risks involved.
Failure to implement the security safeguards amounts to an offence and will render the data controller liable to a fine not
exceeding BWP100 000 or to imprisonment for a term not exceeding three years, or to both.
BREACH NOTIFICATION
Data controllers and data processors are required to immediately notify the Commissioner of any breach to the security
safeguards of personal data. A failure to do so amounts to an offence punishable by a fine not exceeding BWP100 000 or to
imprisonment for a term not exceeding three years, or to both.
ENFORCEMENT
As mentioned earlier, the Commission is the competent authority that will be tasked with protection of personal data through
effective application and compliance with the DPA. However, since the Commission is yet to be formed, there is currently no
enforcement.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 146 | | | www.dlapiperdataprotection.com
ELECTRONIC MARKETING
Marketing by means of electronic communication is governed by the Electronic Communications and Transactions Act – Act No
14 of 2014 (“ECTA”).
An originator, who carries out marketing by means of electronic communication must provide the addressee with the originators’
identity and contact details including the place of business, e-mail, addresses and telefax number, as well as a valid and operational
opt-out facility from receiving similar communications in future, and additionally, the identifying particulars of the source from
which the originator obtained the addressee’s personal information.
In terms of the ECTA, unsolicited commercial communication must only be sent where the opt in requirement has been met and
this includes:
the addressee’s email address and other personal information was collected by the originator of the message in the course
of a sale or negotiations for a sale;
the marketing relates to similar products or services;
when the personal information and address was collected by the originator, the originator offered the addressee the
opportunity to opt-out, free of charge except for the cost of transmission, and the addressee declined to opt- out; and
the opportunity to opt-out is provided with every subsequent message.
Failure to provide the addressee with an optional opt-out facility is an offence which is punishable by a fine not exceeding
BWP10 000, or to imprisonment for a term not exceeding five years, or to both. Furthermore, an originator who persists in
sending unsolicited commercial communications to an addressee who has opted-out from receiving such through the originator’s
opt out facility commits an offence and is liable to a fine not exceeding BWP50 000, or to imprisonment for a term not exceeding
eight years, or to both.
Also noteworthy is the DPA requirement that where personal data is processed for direct marketing purposes, the data
controller must, at no cost, inform the data subject of the right to oppose the processing. Processing for such purposes will be
prohibited where the data subject has given a notice of objection to the processing of the personal data. A data controller who
processes the data despite the objection made by the data subject, commits an offence which is punishable by fine not exceeding
BWP500 000 or to imprisonment for a term not exceeding nine years, or to both.
ONLINE PRIVACY
There is currently no specific online privacy legislation and no provision in the DPA and the ECTA regarding such.
KEY CONTACTS
Minchin & Kelly (Botswana)
Isaac Ntombela
Partner
Minchin & Kelly (Botswana)
T +267 391 2734
intombela@minchinkelly.bw
Namie Modiri
Associate
Minchin & Kelly (Botswana)
T +267 391 2734
nmodiri@minchinkelly.bw
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Botswana 147 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 148 | | | www.dlapiperdataprotection.com
BRAZIL
Last modified 24 January 2022
LAW
After several discussions and postponements, the Brazilian General Data Protection Law (LGPD), Federal Law no. 13,709/2018,
entered into force on September 18, 2020. The LGPD is Brazil’s first comprehensive data protection regulation, and it broadly
aligns with the EU General Data Protection Act (GDPR).
Although the law has been in force since 2020, the penalties issued by the LGPD only became enforceable on August 1, 2021.
However, public authorities (such as consumer protection bodies and public prosecutors) and data subjects could enforce their
rights under the LGPD as of September 18, 2020.
Before the enactment of the LGPD, data privacy regulations in Brazil consisted of various provisions spread across Brazilian
legislation. For example, Federal Law no. 12,965/2014 and its regulating Decree no. 8,771/16 (together, the Brazilian Internet Act)
imposed requirements regarding security and the processing of personal data and other obligations on service providers,
networks, and applications providers, and provided rights for Internet users.
The following laws also contain general provisions and principles applicable to data protection:
The Federal Constitution
The Brazilian Civil Code, and
Laws and regulations that address
Certain types of relationships ( , Consumer Protection Code and employment laws);g. [1]
Regulated sectors ( , financial institutions, health industry, or telecommunications); andg.
Particular professional activities ( , medicine and law).g.
Additionally, there are laws that regulate the processing and safeguarding of documents and information handled by governmental
entities and public bodies.
The LGPD applies to any processing operation carried out by a natural person or a legal entity (of public or private law),
irrespective of (1) the means used for the processing, (2) the country in which its headquarter is located, or (3) the country where
the data are located, provided that:
The processing operation is carried out in Brazil;
The purpose of the processing activity is to offer or provide goods or services, or the processing of data of individuals
located in Brazil; or
The personal data was collected in Brazil.
On the other hand, the law does not apply to the processing of personal data that is:
Carried out by a natural person exclusively for private and non-economic purposes;
Performed for journalistic, artistic, or academic purposes;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 149 | | | www.dlapiperdataprotection.com
1.
Carried out for purposes of public safety, national security, and defense or activities of investigation and prosecution of
criminal offenses (which will be the subject of a specific law);
Originated outside the Brazilian territory and are not the object of communication; or
Shared data use with Brazilian processing agents or the object of international transfer of data with another country that is
not the country of origin, provided that the country of origin offers a level of personal data protection adequate to that
established in the Brazilian law.
In addition, on October 20, 2021, the Brazilian Senate unanimously approved the Proposed Amendment to the Constitution
(“PEC”) no. 17/2019, which aims to include in the Federal Constitution the protection of personal data, including in digital media,
as a fundamental right, and to refer privately to the Union (federal government) the responsibility to legislate on this subject.
However, this amendment will only be valid when the National Congress enacts the PEC, which is still pending.
Due to a broad interpretation established in case law, practically every Internet user is considered a ‘consumer’ for the
purposes of the consumer protection.
DEFINITIONS
Definition of personal data
The LGPD defines as any information related to an identified or identifiable natural person.personal data
Anonymized data is not considered personal data, except when the process of anonymization has been reversed or if it can be
reversed applying reasonable efforts.
Definition of sensitive personal data
The LGPD defines as any personal data concerning: sensitive personal data
Racial or ethnic origin
Religious belief
Political opinion
Trade union
Religious, philosophical or political organization membership
Health or sex life
Genetic or biometric data
NATIONAL DATA PROTECTION AUTHORITY
The LGPD established the National Data Protection Authority (ANPD). The ANPD is part of the federal public administration,
(pertaining to the Presidency of the Republic), and is given technical and decision-making autonomy with jurisdiction over the
Brazilian territory. The ANPD isheadquartered in the Federal District. The legal nature of ANPD is transitory and may be
amended by the Public Authority into an entity of the indirect federal public administration, subject to special autarchic regime and
linked to the Presidency of the Republic, within two (2) years of its regimental structure coming into force.
The ANPD is now in operation. Its structuring process started on August 27, 2020, with the publication of Decree No.
10,474/2020, which approved and regulated the regulatory structure of the ANPD, and its board of commissioned positions and
nominated trust functions. On November 6, 2020, this Decree entered into force with the appointment of the Director-President
and the members of the Board of Directors of the ANPD, after having been approved by the plenary of the Federal Senate. On
March 9, 2021, the ANPD’s Internal Regulations were published, establishing the competencies and organization of the National
Authority.
The ANPD is composed of:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 150 | | | www.dlapiperdataprotection.com
A Board of Directors
A national council for Personal Data and Privacy Protection (Council)
Bodies of direct and immediate assistance to the Board of Directors (General Secretariat, General Coordination of
Administration, General Coordination of Institutional and International Relations)
An Internal Affairs Office (inspection body)
An ombudsman
Its own legal advisory body, and
Administrative and specialized units for the enforcement of the LGPD ( , General Coordination of Standardization;ie
General Coordination of Supervision; and General Coordination of Technology and Research)
The ANPD has the authority to issue sanctions for violations of the LGPD. This sanctions authority came into force on August 1,
2021. In August 2021, the President of the Republic appointed representatives of the National Council for Personal Data and
Privacy Protection (Council). The Council contributes to the performance of the ANPD and has the authority to, among other
things:
Oversee the protection of personal data
Issue regulations and procedures related to personal data protection
Deliberate, at an administrative level, upon the interpretation of the LGPD and matters omitted in its redaction
Supervise and apply sanctions in the event of data processing performed in violation of the legislation
Implement simplified mechanisms for recording complaints about the processing of personal data in violation of the LGPD
In addition, the ANPD Council is responsible for, among other functions:
Proposing strategic guidelines and allowance for the creation of the National Policy for the Protection of Personal Data
and the operation of ANPD
Suggesting actions to be carried out by the ANPD
Preparing studies and conducting public debates and hearings about the protection of personal data
Since the ANPD started its operations, several actions have already been implemented to protect personal data, including:
Publishing guidance on reporting a security incident with personal data and its assessment to the ANPD
Explaining availability of a claim by the data subject against controller
Providing educational materials on data protection, such as (1) guidelines for defining personal data processing agents and
the DPO, (2) how consumers should protect their personal data, and (3) information security for small processing agents.
However, there are still several provisions of the LGPD requiring further regulation and interpretation by the ANPD, which
stakeholders should monitor for future compliance.
REGISTRATION
There is currently no requirement to register with the National Data Protection Authority under Brazilian law.
DATA PROTECTION OFFICERS
The LGPD creates the position of Chief of Data Processing, which is the data protection officer (DPO) in charge of data
processing operations. The DPO is responsible for the following:
Accepting complaints and communications from data subjects and the National Authority
Providing guidance to employees about good practices and carrying out other duties as determined by the controller or
set forth in complementary rules
The LGPD provides the National Data Protection Authority the power to further establish supplementary rules concerning the
definition and the duties of the DPO, including scenarios in which the appointment of such person may be waived, according to
the nature and the size of the entity or the volume of data processing operations.
Currently, and until the ANPD provides more detailed instructions on the subject, it is assumed that every company (public or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 151 | | | www.dlapiperdataprotection.com
private) should appoint a DPO. This general obligation extends to all types of activities and volumes of data processing subject to
the LGPD (as set out in the “Guidance on Processing Agents and DPO” published by ANPD in May 2021). In any case, all
companies should monitor this space for future guidance.
On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the
LGPD to small businesses, startups, and innovative companies. This Resolution includes exemptions and flexibilities, such as the
exemption of these companies from appointing a DPO. However, this is still a draft Resolution and needs to be further confirmed
and published.
There is no prohibition against companies using an external DPO or against DPOs performing the same function for more than
one company simultaneously. Likewise, the LGPD does not distinguish whether the DPO must be an individual or a legal entity.
Due to the absence of legal or regulatory requirements, there is no need to communicate or record the identity and contact
information of the DPO with the ANPD.
COLLECTION & PROCESSING
Under the LGPD, collection and processing is referred to as “data treatment”, and defined as all operations carried out with
personal data, such as:
Collection
Production
Reception
Classification
Utilization
Access
Reproduction
Transmission
Distribution
Processing
Filing
Storage
Elimination
Evaluation
Control
Modification
Communication
Transfer
Diffusion, or
Extraction
The processing of personal data may only be carried out based on one of the following legal bases:
With data subject consent
To comply with a legal or regulatory obligation by the controller
By the public administration, for the processing and shared use of data which are necessary for the execution of public
policies provided in laws or regulations or contracts, agreements or similar instruments
For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
For the execution of a contract or preliminary procedures related to a contract to which the data subject is a party
For the regular exercise of rights in judicial, administrative or arbitration procedures
As necessary for the protection of life or physical safety of the data subject or a third party
For the protection of health, exclusively, in a procedure carried out by health professionals, health services or sanitary
authorities
To fulfill the legitimate interests of the controller or a third party, except in the case of prevailing the fundamental rights
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 152 | | | www.dlapiperdataprotection.com
and freedoms of the data subject, and
For the protection of credit
Notwithstanding the above, personal data processing must be carried out in good faith and based on the following principles:
Purpose
Suitability
Necessity
Free access
Quality of the data
Transparency
Security
Prevention
Nondiscrimination, and
Accountability
As for the processing of sensitive personal data, the processing can only occur when the data subject or their legal representative
consents specifically and in highlight, for specific purposes; or, without consent, under the following situations:
As necessary for the controller’s compliance with a legal or regulatory obligation
Shared data processed as necessary for the execution of public policies provided in laws or regulations by the public
administration
For carrying out studies by research entities, ensuring, whenever possible, the anonymization of personal data
For the regular exercise of rights, including in a contract or in a judicial, administrative or arbitration procedure
Where necessary for the protection of life or physical safety of the data subject or a third party
The protection of health, exclusively, in a procedure performed by health professionals, health services or sanitary
authorities, or
To prevent fraud and protect the safety of the data subject
The controller and operator must keep records of the data processing operations they carry out, mainly when the processing is
based on a legitimate interest.
In this sense, the ANPD may determine that the controller must prepare an Impact Report on Protection of Personal Data,
including sensitive data, referring to its data processing operations, pursuant to regulations, subject to commercial and industrial
secrecy. The report must contain at least a description of the types of data collected, the methodology used for collection and for
ensuring the security of the information, and the analysis of the controller regarding the adopted measures, safeguards and
mechanisms of risk mitigation.
On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the
LGPD to small businesses, startups, and innovative companies. This Resolution includes exemptions and flexibilities, such as the
exemption of these companies from maintaining records of data processing activities and flexibility in conducting Data Protection
Impact Assessments (“DPIA”). However, this is still a draft Resolution, which must be confirmed and published further.
TRANSFER
The transfer of personal data to other jurisdictions is allowed only subject to compliance with the requirements of the LGPD.
Prior specific and informed consent is needed for such transfer, unless:
The transfer is to countries or international organizations with an adequate level of protection of personal data
There are adequate guarantees of compliance with the principles and rights of data subject provided by LGPD, in the form
of
Specific contractual clauses for a given transfer
Standard contractual clauses
Global corporate norms, or
Regularly issued stamps, certificates and codes of conduct
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 153 | | | www.dlapiperdataprotection.com
The transfer is necessary for international legal cooperation between public intelligence, investigative and prosecutorial
agencies
The transfer is necessary to protect the life or physical safety of the data subject or a third party
The ANPD has provided authorization
The transfer is subject to a commitment undertaken through international cooperation
The transfer is necessary for the execution of a public policy or legal attribution of public service
The transfer is necessary for compliance with a legal or regulatory obligation, execution of a contract or preliminary
procedures related to a contract, or the regular exercise of rights in judicial, administrative or arbitration procedures
SECURITY
Controllers and processors must adopt technical and administrative security measures designed to protect personal data from:
Unauthorized accesses, and
Accidental or unlawful situations of:
Destruction
Loss
Alteration
Communication, or
Any improper or unlawful processing
The LGPD grants the ANPD authority to establish minimum technical standards for companies to implement.
On 4 October 2021, the ANPD launched information security guidelines aimed at small data processing agents (such as
microenterprises, small businesses, and startups) to assist them with good practices in implementing technical and administrative
information security measures for the protection of personal data. The guidelines also contain a checklist to facilitate the
visualization of suggestions, such as awareness and training programs, agreements management, access controls, data storage
guidelines, and vulnerability management.
The Brazilian Internet Act further establishes that service providers, networks and applications providers should keep access
records (such as IP addresses and logins) confidential and in a secured and controlled environment. Guidelines issued under the
Internet Act established guidelines on appropriate security controls, including:
Strict control on data access by defining the liability of persons who will have the possibility of access and exclusive access
privileges to certain users
Prospective of authentication mechanisms for records access, using, for example, dual authentication systems to ensure
individualization of the controller records
Creation of detailed inventory of access to connection records and access to applications containing the time, duration,
the identity of the employee or the responsible person for the access designated by the company and the accessed file
Use of records management techniques that ensure the inviolability of data, such as encryption or equivalent protective
measures
BREACH NOTIFICATION
The controller must report to ANPD and the data subject within a reasonable timeframe if the breach is likely to result in risk or
harm to data subjects. The LGPD itself does not set a specific deadline for notifying the ANPD in the event of security incidents.
However, according to guidance published by the National Authority on February 22, 2021, the communication must be made
within two (2) working days, counted from the date of receiving knowledge of the incident.
In addition, according to this guideline, the company or person responsible for the data must internally assess the incident and
ascertain the nature, category, and number of data subjects affected. The National Authority must also be communicated in the
event of relevant risk or damage to data subjects, using a form available on the ANPD’s page.
The notice must contain, at least, the following:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 154 | | | www.dlapiperdataprotection.com
Description of the nature of the affected personal data
Information regarding the data subjects involved
Indication of the security measures used
The risks generated by the incident
The reasons for a delay in communication (if any)
The measures that were or will be adopted
Additionally, the ANPD must verify the seriousness of the incident and may, if necessary to safeguard the data subject’s rights,
order the controller to adopt measures, such as the broad disclosure of the event in communications media, as well as measures
to reverse or mitigate the effects of the incident.
On August 30, 2021, the ANPD issued a Public Consultation related to a Resolution with special rules on the application of the
LGPD to small businesses, startups, and innovative companies. The Resolution includes exemptions and flexibilities, such as the
exemption or flexibility in the communication of security incidents, as well as the flexibility regarding deadlines for responding to
data subjects’ requests, for communicating severe security incidents to the ANPD and affected data subjects, and for responding
to ANPD’s requests. However, this is still a draft Resolution, which must be confirmed and published further.
ENFORCEMENT
The LGPD provides for penalties in case of violations its provisions. Data processing agents that commit infractions can be subject
to administrative sanctions, in a gradual, single or cumulative manner, including a fine, simple or daily, of up to 2% of the revenues
of a private legal entity, group or conglomerate in Brazil, up to a total maximum of R$50 million per infraction.
Other sanctions can include:
Warning
Publicizing of the violation
Blocking the personal data to which the infraction refers to until its regularization
Deletion of the personal data to which the infraction refers
Partial suspension of the database operation to which the infringement refers for a maximum period of six (6) months,
extendable for the same period, until the processing activity is corrected by the controller;
Suspension of the personal data processing activity to which the infringement refers for a maximum period of six (6)
months, extendable for the same period;
Partial or total prohibition of activities related to data processing.
Although the LGPD became effective September 18, 2020, the penalties provided by the law were only enforceable from August 1,
2021. In addition, the ANPD is now in operation and, on October 29, 2021, published the Regulation of the Inspection Process
and the Sanctioning Administrative Process, which establishes the procedures applicable to ANPD’s inspection process and the
rules to be observed during the administrative sanctioning process. However, so far, the ANPD still has not imposed sanctions
regarding violations to the LGPD, so its level of enforcement activity is still uncertain.
Public authorities (such as consumer protection bodies and public prosecutors) are already monitoring data protection matters
and applying penalties based on the LGPD obligations and other applicable laws. Additionally, data subjects may file lawsuits if any
of the rights provided by the LGPD are violated. Under the law, a controller or processor that causes material, moral, individual,
or collective damage to others is liable to individuals for such damages, including through a class action.
Exceptions to the obligation to remedy a violation exist only if:
The agent ( , controller or the processor) did not carry out the data processingie
There was no violation of the data protection legislation in the processing, or
The damage arises due to exclusive fault of the data subject or a third party
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brazil 155 | | | www.dlapiperdataprotection.com
ELECTRONIC MARKETING
Brazil has no specific law regulating electronic marketing communications. However, it is important to point out that, according to
the LGPD, all processing of consumers’ personal data (which includes the collection, storage, and sending of marketing
communications) can only occur upon the appropriate legal basis for such purpose. Under this scenario, two available legal bases
could be used, depending on the analysis of the concrete case: (1) the data subject’s consent, or (2) the controller’s legitimate
interest.
Despite the lack of a specific statute, general provisions on privacy and intimacy rights, as well as consumer protection rights, also
apply to electronic marketing. Therefore, the sender should immediately cease sending any electronic marketing if the consumer
requests (i.e., offering an opt-out option to electronic marketing).
ONLINE PRIVACY
The Brazilian Internet Act has several provisions concerning the storage, use, disclosure, and other processing of data collected on
the Internet. The established rights of privacy, intimacy, and consumer rights apply equally to electronic media, such as mobile
devices and the Internet. Violations of these rights may also be subject to civil enforcement.
Furthermore, as explained in prior sections, identifiable data are also encompassed under the scope of protection of the LGPD.
Thus, if cookies and location data are associated with a natural person, their collection should also observe the same obligations
provided by the Brazilian data protection law. However, the obligation does not apply to anonymized data, which is not
considered personal data under the LGPD unless the process of anonymization has been reversed or can be reversed using
reasonable efforts.
That said, a proper legal basis is needed when using cookies and similar technologies that involve the processing of a user’s
personal data from (e.g., the information is linked or linkable to a particular user, IP address, a device, or other particular
identifier). Under this scenario, two available legal bases could be used, depending on the analysis of the concrete case: the data
subject’s consent or the controller’s legitimate interest (in the case of essential cookies, for example).
KEY CONTACTS
Campos Mello Advogados
www.camposmello.adv.br/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Paula Mena Barreto
Partner
Campos Mello Advogados
T +55 21 3262 3028
paula.menabarreto@cmalaw.com
Manoela Quintas Esteves
Associate
Campos Mello Advogados
T +55 21 3262 3042
manoela.esteves@cmalaw.com
https://www.dlapiperdataprotection.com
http://www.camposmello.adv.br/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World British Virgin Islands 156 | | | www.dlapiperdataprotection.com
BRITISH VIRGIN ISLANDS
Last modified 24 January 2022
LAW
The British Virgin Islands’ Data Protection Act, 2021 (DPA) came into force on 9 July 2021.
The DPA is the primary legislation and the first legislative framework of its kind in the British Virgin Islands to govern how public
and private bodies may process personal data. The law strives to promote transparency and accountability, bringing the British
Virgin Islands in line with the UK and EU data protection standards.
DEFINITIONS
Definition of personal data
Personal data means any information in respect of commercial transactions which: (i) is being processed wholly or partly by
means of equipment operating automatically in response to instructions given for that purpose; (ii) is recorded with the intention
that it should wholly or partly be processed by means of such equipment; or (iii) is recorded as part of a relevant filing system or
with the intention, and in each case, that it should form part of a relevant filing system, that relates directly or indirectly to a data
subject, who is identified or identifiable from that information, or from that or other information in the possession of a data user,
including any sensitive personal data and expression of opinion about the data subject
Definition of sensitive personal data
Sensitive personal data means any personal data about a data subject’s:
physical or mental health;
sexual orientation;
political opinions;
religious beliefs or other beliefs of a similar nature;
criminal convictions, the commission or alleged commission of, an offence; or
any other personal data that may be prescribed as such under the DPA, from time to time.
Other key definitions
commercial transactions means any transaction of a commercial nature, whether contractual or not, which includes any
matters relating to the supply or exchange of goods or services, agency, investments, financing, banking, and insurance
data processor, in relation to personal data, means a person who processes data on behalf of a data controller but does not
include an employee of the data controller
data subject means a natural person, whether living or deceased
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World British Virgin Islands 157 | | | www.dlapiperdataprotection.com
data controller means a person who, either alone or jointly, or in common with other persons, processes any personal data, or
has control over, or authorises the processing of any personal data, but does not include a data processor
processing, in relation to personal data, means collecting, recording, holding, or storing the personal data or carrying out any
operation or set of operations on the personal data, including the: (i) organisation, adaptation, or alteration of personal data; (ii)
retrieval, consultation or use of personal data; (iii) disclosure of personal data by transmission, transfer, dissemination or
otherwise making available; or (iv) alignment, combination, correction, erasure or destruction of personal data, and
NATIONAL DATA PROTECTION AUTHORITY
The supervisory authority under the DPA is the Office of the Information Commissioner.
Given the recent enactment of the DPA, the Office of the Information Commissioner has not yet been staffed.
REGISTRATION
There is currently no requirement for a data controller or a data processor to notify the Information Commissioner of their role
or complete any registration.
DATA PROTECTION OFFICERS
There is no requirement under the DPA for a data protection officer to be appointed.
COLLECTION & PROCESSING
Data controllers are responsible for compliance with certain privacy and data protection principles applicable to the personal data
it processes. Data controllers are also responsible for ensuring that the principles are complied with, where personal data is
processed on the data controller’s behalf (e.g., by its vendors).
Under these principles:
a data controller shall not process personal data (other than sensitive personal data) without the express consent of the
data subject, or transfer personal data outside of the British Virgin Islands without proof of adequate data protection
safeguards or consent from the data subject, unless either of the Exceptions defined under the heading “Transfer” exists
(the )General Principle
a data controller must inform a data subject of: (a) the purposes for processing; (b) information as to the source of the
personal data; (c) the rights to request access to and correction of the personal data; (d) how to contact the data
controller; (e) the class of third parties to whom the personal data will be disclosed; and (f) whether the data is obligated
to supply the personal data, and if so, the consequences of not supplying same (the )Notice and Choice Principle
no personal data shall be disclosed without the consent of the data subject for any purposes other than the purpose for
which the personal data was to be disclosed at the time of collection or to any party other than a third party of the class
of third parties noted above (the )Disclosure Principle
a data controller must take practical steps to protect personal data from any loss, misuse, modification, unauthorised or
accidental access or disclosure, alteration, or destruction by having regard to (a) the nature of the personal data and the
harm that would result from any loss, misuse, etc.; (b) the place or location where the personal data is stored; (c) any
security measures incorporated into any storage equipment; (d) the measures taken for ensuring the reliability, integrity,
and competence of personnel having access to the personal data; and (e) the measures taken for ensuring the secure
transfer of the personal data (the )Security Principle
personal data shall not be kept longer than is necessary for the fulfillment of the purpose of processing, and data
controllers must take all reasonable steps to ensure that personal data is destroyed or permanently deleted if no longer
required for the purpose for which it was to be processed (the )Retention Principle
a data controller shall take reasonable steps to ensure that personal data is accurate, complete, not misleading, and kept
current (the ), andData Integrity Principle
data subjects shall be given access to their personal data and be able to request corrections where the personal data is
inaccurate, incomplete, misleading, or not current (the “ ”)Access Principle
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World British Virgin Islands 158 | | | www.dlapiperdataprotection.com
TRANSFER
As set out under the , transfers of personal data by a data controller or a data processor to countries orGeneral Principle
territories outside the British Virgin Islands are only permitted where that country or territory ensures an adequate level of
protection of data protection safeguards in relation to the processing of personal data. This transfer restriction endeavors to
ensure that the level of protection provided by the DPA is not circumvented by transferring personal data abroad.
The DPA also includes the following exceptions where the General Principle will not apply to a transfer:
if the data subject has consented to the transfer (where consent must be freely given, specific, informed, and unambiguous
and must be capable of being withdrawn at any time)
where the transfer is necessary for the performance of a contract between the data subject and the data controller, or
the taking of steps at the request of the data subject with a view to the data subject entering into a contract with the data
controller
the transfer is necessary for the conclusion of a contract between the data controller and a person other than the data
subject, being a contract that is entered into at the request of the data subject, or is in the interests of the data subject, or
for the performance of such a contract;
the transfer is necessary for reasons of substantial public interest
the transfer is for a lawful purpose directly related to an activity of the data controller, is necessary for, or directly related
to, that purpose, and the personal data is adequate but not excessive in relation to that purchase
the transfer is necessary in order to protect the vital interests of the data subject
the transfer is necessary for the administration of justice, or
the transfer is required for the exercise of any functions conferred on a person by law.
SECURITY
While the DPA does not specify any technical standards for data controllers to implement, the DPA requires a data controller,
when processing personal data, to take practical steps to protect the personal data from any loss, misuse, modification,
unauthorized or accidental access, or disclosure, alteration or destruction (together, ‘ ) by having regard to theSecurity Breach’
following matters:
the nature of the personal data and the harm that would result from a Security Breach
the place or location where the personal data is stored
any security measures incorporated into any equipment in which the personal data is stored
the measures taken for ensuring the reliability, integrity, and competence of personnel having access to the personal data,
and
the measures taken for ensuring the secure transfer of the personal data
The DPA also requires, where a data processor carries out the processing of personal data on behalf of the data controller, the
data controller (for the purpose of protecting the personal data from Security Breach) to ensure that the data processor:
provides sufficient guarantees in respect of the technical and organisational security measures governing the processing to
be carried out, and
take reasonable steps to ensure compliance with the above measures
BREACH NOTIFICATION
The DPA does not require data controllers to notify the Information Commissioner or the data subjects of personal data
breaches.
However, notice requirements apply to data controllers that receive enforcement notices from the Information Commissioner.
The DPA requires a public or private body to, as soon as practicable, and in any event within 30 days of complying with an
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World British Virgin Islands 159 | | | www.dlapiperdataprotection.com
enforcement notice from the Information Commissioner: (i) notify the data subject(s) concerned; and (ii) any person to whom the
personal data was disclosed within the twelve months preceding the date of service of the enforcement notice (as determined by
the Information Commissioner).
ENFORCEMENT
A breach of the DPA constitutes a criminal offence. Upon conviction, violators may be subject to a fine of up to US$100,000,
imprisonment of up to five years, or both. A body corporate is punishable on conviction to a fine of up to US$500,000.
The Information Commissioner has broad investigative and corrective powers under the DPA, including the power to request and
obtain information from parties subject to the law and to issue orders to carry out specific remediation activities.
The DPA provides for a private right of action where data subjects suffer damage or distress due to a breach of the DPA by a
public or private body.
In addition, the DPA explicitly provides for personal liability in respect of offences committed by a body corporate where the
offence is proven to have been committed with the consent or connivance of, or to be attributable to neglect on the part of, any
director, secretary, or similar officer, or any person purporting to act in such capacity. Where the affairs of a body corporate are
managed by its members, this personal liability also applies to the acts and defaults of a member in connection with the member’s
function of management.
ELECTRONIC MARKETING
The DPA applies to “direct marketing”, which is the communication, by whatever means, of any advertising or marketing material
that is directed to particular individuals and therefore includes electronic marketing.
Prior express consent is not required for the purposes of direct marketing. However, a data subject has an unconditional right to
require the date controller to stop, or not to commence, the processing of any of their personal data for the purposes of direct
marketing (i.e., an “opt-out” right).
ONLINE PRIVACY
There are no specific restrictions on online privacy in the DPA. However, the provisions of the DPA apply where a private body is
a website operator that collects personal data.
KEY CONTACTS
Carey Olsen
www.careyolsen.com
Clinton Hempel
Partner
Carey Olsen
T +27 76 412 6091
clinton.hempel@careyolsen.com
Jude Hodge
Counsel
Carey Olsen
T +1 284 394 4034
jude.hodge@careyolsen.com
https://www.dlapiperdataprotection.com
http://www.careyolsen.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World British Virgin Islands 160 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brunei 161 | | | www.dlapiperdataprotection.com
BRUNEI
Last modified 17 December 2021
LAW
At present there are no statutory or common law obligations that protects the privacy of information upon which an individual
can be directly or indirectly identified, save in respect of banker-customer relationship where banks are under a legal duty to keep
customer information confidential.
However, with the publication of the Public Consultation Paper on Personal Data Protection for the Private Sector in Brunei
Darussalam by the Authority for Info-communications Technology Industry of Brunei Darussalam on 20 May 2021 (“Public
”), it is anticipated that the Personal Data Protection Order (“ ”) will be enacted and come into forceConsultation Paper PDPO
in the near future. Premise on the Public Consultation Paper, which sets out in general terms the data protection framework
under the PDPO, it is anticipated that the PDPO will introduce obligations on the part of private sector organizations with respect
to collection, use, disclosure or other processing of individuals’ personal data and the rights of individuals in relation to the
processing of their personal data.
DEFINITIONS
Definition of personal data
At present there is no legal definition.
It is anticipated that under the PDPO “personal data” will refer to data, whether true or not, about an individual who can be
identified (a) from that data; or (b) from that data and other information to which the organization has or is likely to have access.
Definition of sensitive personal data
At present there is no legal definition.
It is anticipated that the PDPO will not make a distinction between sensitive and non-sensitive personal data or define a category
of “sensitive personal data”.
NATIONAL DATA PROTECTION AUTHORITY
At present nil.
It is anticipated that the PDPO will establish a national data protection authority referred to as the Responsible Authority.
REGISTRATION
At present no legal requirement.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brunei 162 | | | www.dlapiperdataprotection.com
It is anticipated that the PDPO will not have any registration requirements.
DATA PROTECTION OFFICERS
At present no legal requirement.
It is anticipated that the PDPO will require an organization to appoint a data protection officer who shall be responsible for
ensuring that the organization complies with the PDPO and develops and implement policies and practices that are necessary to
meet its obligations under the PDPO including a process to receive complaints.
COLLECTION & PROCESSING
At present not a regulated activity.
Under the PDPO framework set out in the Public Consultation Paper, organizations may collect, use or disclose personal data
about an individual for purposes that a reasonable person would consider appropriate in the circumstance.
It is anticipated that under the PDPO organizations may collect, use or disclose personal data where –
they have the prior consent of the individual; or
unless otherwise required or authorized by law; or
an exception in the PDPO applies.
Where consent is required, it is anticipated that the PDPO will not specifically prescribe the manner in which consent may be
given and that the PDPO will recognize that consent may be explicit or implicit through an individual’s actions or inactions,
depending on the circumstances, and thereby allowing organizations flexibility as to how they obtain consent. That said, it is
anticipated that the PDPO would require organizations to look to express consent as the first port of call and only rely on
deemed consent or the exceptions to consent if obtaining consent is impractical or if they have otherwise failed to obtain express
consent.
It is anticipated that under the PDPO consent must be validly obtained and consent would not be valid where:
consent is obtained as a condition of providing a product or service and such consent is beyond what is reasonable to
provide the product or service to the individual; the principle being that organizations should not collect more personal
data than is reasonable and necessary; and
where false or misleading information was provided in order to obtain or attempt to obtain the individual’s consent for
collecting, using or disclosing his personal data.
As part of obtaining valid consent, it is anticipated that the PDPO will require organizations to provide the individual with
information on:
the purposes for the collection, use or disclosure of his personal data, on or before collecting the personal data; and
any other purpose for the use or disclosure of personal data that has not been notified to the individual, before such use
or disclosure of personal data.
Further, it is anticipated that fresh consent would be required where personal data collected is to be used for a different purpose
from which the individual originally consented.
TRANSFER
At present not a regulated activity.
It is anticipated that under the PDPO, an organization shall not transfer personal data to a country outside Brunei Darussalam
except in accordance with requirements prescribed under the PDPO to ensure that the transferred personal data will be
accorded a standard of protection that is comparable to that under the PDPO. It is not anticipated that such requirement
prescribed by the PDPO will be as stringent and prescriptive as in other jurisdiction, for example the EU, and it is anticipated that
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brunei 163 | | | www.dlapiperdataprotection.com
the PDPO will place the onus on organizations to ensure that appropriate measures are taken to protect personal data
transferred out of Brunei Darussalam through the imposition of contractual obligations or otherwise.
SECURITY
At present not a regulated activity save in relation to a “Financial Institution” – see .Mandatory Breach Notification
It is anticipated that under the PDPO, an organization must protect personal data in its possession or under its control by making
reasonable security arrangements to prevent:
unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks; and
the loss of any storage medium or device on which personal data is stored.
It is anticipated that under the PDPO data intermediaries will also be subjected to the same obligation to protect personal data in
their possession.
It is anticipated that the PDPO will provide for a reasonable standard for such security measures taking into account factors such
as the nature and sensitivity of the data, the form in which personal data is stored and the impact to the individual if the personal
data is subject to unauthorized access, disclosure or other risks. But it is not anticipated that the PDPO will stipulate specific
security measures to be adopted and implement by organizations and data intermediaries.
BREACH NOTIFICATION
Mandatory Breach Notification
At present no legal requirement save in relation to a “Financial Institution” (i.e. banks, insurance companies, moneylenders,
pawnbrokers, moneychangers and securities service providers licensed in Brunei Darussalam).
It is anticipated that under the PDPO, organizations are required to, as soon as practicable, but in any case no later than 3
calendar days after the assessment, notify the Responsible Authority of a data breach that:
results in, or is likely to result in, significant harm to the individuals to whom any personal data affected by a data breach
relates; or
is or is likely to be, of a significant scale.
Organizations are also anticipated to be required to notify the affected individuals on or after notifying the Responsible Authority
if the data breach results in, or is likely to result in, significant harm to an affected individual.
Further, it is anticipated that unreasonable delays in reporting breaches that cannot be justified will be considered a breach of the
data breach notification obligation.
Where a data breach is discovered by a data intermediary, it is anticipated that under the PDPO, the data intermediary will be
under a duty to notify the organization or the Responsible Authority of the data breach.
A Financial Institution is obliged to report to the Brunei Darussalam Central Bank, no later than 2 hours after confirmation of all
instances of cyber intrusion, disruption, malfunction, error or cybersecurity issues on a Financial Institution’s system, server,
network or end-point which has a severe or widespread impact on the operations and service delivery or has a material impact on
the Financial Institution.
ENFORCEMENT
At present no enforcement authority.
It is anticipated that under the PDPO the Responsible Authority will administer and enforce the PDPO and will have the powers
to do any of the following:
issue directions to organizations to:
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/brunei/breach-notification.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Brunei 164 | | | www.dlapiperdataprotection.com
stop collecting, using or disclosing personal data in contravention of the PDPO;
destroy personal data collected in contravention of the PDPO; or
provide access to or correct personal data.
impose a financial penalty of up to BND1 million or 10% of the annual turnover of on an organization for negligent or
intentional breach of the PDPO.
ELECTRONIC MARKETING
No legal requirement to have privacy policies.
ONLINE PRIVACY
No legal requirement to have privacy policies.
KEY CONTACTS
Abraham, Davidson & CO.
www.adcobrunei.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Linus Tan
Associate
Abraham, Davidson & CO.
T +673 2242840
linus_tan@adcobrunei.com
Elaiza Hanum Merican
Associate
Abraham, Davidson & CO.
T +673 2242840
elaiza@adcobrunei.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 165 | | | www.dlapiperdataprotection.com
BULGARIA
Last modified 22 December 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
Bulgaria implemented the EU Data Protection Directive 95/46/EC with the Personal Data Protection Act (In Bulgarian:
), promulgated in the State Gazette No. 1 of January 4, 2002, as amendedЗакон за защита на личните данни
periodically (Act). The Act came into force on January 1, 2002.
In view of the entry into force of Regulation (EU) 2016/679 (General Data Protection Regulation – ‘GDPR’), the Personal
Data Protection Act was amended by a law for amendment and supplementation which was promulgated in the State
Gazette No. 17 of February 26,2019.
The Personal Data Protection Act as amended (hereinafter referred to as the ‘Personal Data Protection Act) serves a
twofold purpose – it effectively implements the GDPR into national legislation and also transposes Directive (EU)
2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with
regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation,
detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such
data, and repealing Council Framework Decision 2008/977/JHA.
The Personal Data Protection Act complements the GDPR by providing regulation to matters in the field of personal data
processing that have not been explicitly covered by the GDPR, or where the GDPR has left room for the exercise of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 166 | | | www.dlapiperdataprotection.com
legislative discretion. As the regulation has direct effect and is applicable in all EU member-states without the need of
adopting a designated legislative act, the Bulgarian legislator has adopted the approach of directly referring to and
implementing the GDPR without repeating the core provisions of the regulation in the Personal Data Protection Act.
Under the Personal Data Protection Act the role of supervising authority is shared between the Commission for Personal
Data Protection and the Inspectorate to the Supreme Judicial Council, the latter having competence only with regards to
data processing by courts, prosecution offices and criminal investigative bodies in their capacity as judicial authorities. The
Personal Data Protection Act further regulates the legal remedies in cases of violation of personal data law, the
accreditation and certification in the field of personal data protection, the administrative liability and the administrative
measures in cases of violations of its provisions.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
Definition of personal data
The definition of personal data set forth before by the Personal Data Protection Act was repealed following the
implementation of the GDPR and it explicitly refers to the definition of personal data under art. 4 of the GDPR (§1 of the
Supplementary provisions of the Personal Data Protection Act).
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable
natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person.
Definition of sensitive personal data
The Personal Data Protection Act refers explicitly to the definitions under the GDPR which applies following its direct
effect in all EU member states.
NATIONAL DATA PROTECTION AUTHORITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 167 | | | www.dlapiperdataprotection.com
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The Bulgarian data protection authority (DPA) is the Personal Data Protection Commission (In Bulgarian: Комисия за
, the ‘Commission’).защита на личните данни
2 Professor Tsvetan Lazarov, Sofia 1592
Bulgaria
kzld@cpdp.bg
www.cpdp.bg
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
The requirement for registration of data controllers before the Commission for Personal Data Protection was repealed
with the implementation of the GDPR.
Pursuant to the Personal Data Protection Act, the Commission for Personal Data Protection maintains the following
public registers:
register of data controller and data processors who have appointed data protection officers containing the name
of the data controller/ data processor, the name of the appointed data protection officer and its contact details;
register of the accredited certifying bodies under art. 14 containing information on the name and the contact
details of the certifying body and on the period of validity of its accreditation;
https://www.dlapiperdataprotection.com
http://www.cpdp.bg
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 168 | | | www.dlapiperdataprotection.com
register of codes of conduct which includes the name of the code, the name of the editor and the relevant
certification body, information about the sector concerned and its content.
The Commission shall also support (a) an internal register of established breaches of the GDPR and the Personal Data
Protection Act, (b) a register of the measures taken in accordance with art. 58, para 2 of the GDPR, and (c) a register of
the personal data destroyed on a monthly basis by providers of public electronic communication networks and / or
services in accordance with art. 251g of the Electronic Communications Act. These registers however, are not public.
In accordance with the Rules of Procedure of the Commission for Personal Data Protection and its Administration, the
above-mentioned registers are held in electronic format and should be updated regularly.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
The Personal Data Protection Act does not set an explicit requirement to appoint a data protection officer, thus the
general requirement pursuant to the GDPR applies. Pursuant to the Personal Data Protection Act, data controllers are
obliged to communicate the personal details and contact details of the DPO, as well as any subsequent replacements,
before the Commission for Personal Data Protection, and will also have to publish their contact details. An approved
notification form, which was recently updated by the Commission for Personal Data Protection, is available at the
(only in Bulgarian language).following website
COLLECTION & PROCESSING
https://www.dlapiperdataprotection.com
https://www.cpdp.bg/userfiles/file/Documents_2020/UVEDOMLENIE_DLZD-KZLD
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 169 | | | www.dlapiperdataprotection.com
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 170 | | | www.dlapiperdataprotection.com
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 171 | | | www.dlapiperdataprotection.com
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 172 | | | www.dlapiperdataprotection.com
a.
b.
c.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where:affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The Personal Data Protection Act does not repeat the core provisions of the GDPR relating to collection and processing
of personal data in its body. However, following the direct effect of the GDPR in all EU member states, the provisions of
the regulation in this respect shall be applied in all cases of data collection and processing.. The Personal Data Protection
Act explicitly previews that in case the data subject provides his / her personal data to a data controller or a data
processor in breach of Art. 6, para (1) (legal grounds for processing) and Art. 5 (principles for data processing) GDPR, the
data controller / data processor should have to immediately return the data or delete / destroy the data within one month
of becoming aware of the breach (art. 25a of the Personal Data Protection Act).
The Personal Data Protection Act also introduces additional rules relating to specific data processing situations:
Conditions applicable to child’s consent in relation to information society services – The Personal Data Protection
Act introduces a lower age of the data subject, under which the consent of a parent or a guardian would be
required for the lawful processing of personal data of a child in cases of direct provision of information society
services. Under the Personal Data Protection Act if the data subject is under 14 years old, a consent by a parent
exercising the parental rights or by guardian of the data subject is required for the lawful processing of the data.
Processing of personal identification number – Under the Personal Data Protection Act, public access to personal
identification number / personal identification number of a foreigner (‘PIN/PINF’) shall be granted only if required
by law. Data controllers providing electronic services should undertake appropriate technical and organizational
measures to prevent the PIN/PINF from being the sole identifier for the use of their services.
Processing and freedom of expression and information – Where personal data is processed for the exercise of
freedom of expression and information, including for journalistic purposes and for the purposes of academic,
artistic or literary expression, the data controller should assess the lawfulness of such processing in each
particular case. The Personal Data Protection Act sets a number of assessment criteria to be used by data
controllers/processors in the assessment of the lawfulness of processing such as the type of the personal data
processed, the impact of the public disclosure on the privacy of the data subject and his/her reputation etc.
However, the Bulgarian Constitutional Court (Decision Nr.8 dated November 15,2019) declared the assessment
criteria set forth by the Personal Data Protection Act to be unconstitutional. More particularly, the criteria were
found to be unclear and therefore creating unpredictability and legal uncertainty and restricting disproportionally
the freedom of expression and information. Based on this decision, the above-mentioned criteria do no longer
apply. The balancing test between the freedom of expression and the right to information and the protection of
personal data shall me made on a case-by-case basis taking into consideration the specific circumstances and
interests in presence. Further guidance in this respect was provided in a recent decision of the Supreme
Administrative Court (Decision Nr. 11636 dated November 16, 2021), which clarified how the balance between
these competing rights shall be assessed in each individual case.
Processing in the context of employment – The Personal Data Protection Act regulates explicitly certain matters
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 173 | | | www.dlapiperdataprotection.com
related to personal data processing in the context of an employment relationship. Employers may take copy of
employee’s identification documents, driving license or residence document only if required by law. In addition,
according to a statement by the Commission for Personal Data Protection information for the criminal
background of the employees can also be processed by employers only if explicitly provided for by law. Other
legal grounds, such as consent or the legitimate interest cannot be applied for the processing of criminal records
information. Most recently, the Commission for Personal Data Protection has adopted several opinions
concerning the processing of employee health data by employers in the context of Covid-19; in particular, the
latter provide that employers:
cannot request information from a remote-working employee whether he/she (or any of his/her family
members) has tested positive for Covid-19; such information can only be disclosed voluntarily by the
employee;
may provide anonymized information to their employees about established Covid-19 cases in the
company (i.e. without revealing the identity of the infected employee(s));
can order/organize Covid-19 group testing of employees, without processing or having access to the test
results – since the latter contain sensitive health data, they can only be processed by competent health
authorities;
may process only aggregated data for the vaccination status of the employees, gathered voluntary and on
anonymous basis by the appointed Labour Medicine Office (a third party service provider in the field of
occupational medicine, that each employer shall appoint) for the purposes of risk assessment of the health
and safety conditions at the workplace.
Employers should adopt rules and procedures for:
the use of breach reporting system;
restrictions on the use of internal company resources;
introduction of systems for control access, working time and labor discipline.
These rules and procedures shall contain information on the scope, obligations and methods with respect to their
application. The Personal Data Protection Act recognizes that the business purpose of the employer and the nature
of the related work processes shall have to be taken into account upon the adoption of the rules and procedures.
The rules and procedures will have to be brought to the attention of the employees.
Employers shall have to further determine a retention period for the personal data collected during the recruitment
process, which however may not be longer than six months, unless the candidate consented to a longer period.
Where the employer has, for recruitment purposes, requested original or notarized copies of documents certifying
the physical and mental fitness of the applicant, the required degree, or the length of service for the previous
positions occupied, the employer should return the submitted documents within six months of the conclusion of
the recruitment procedure unless otherwise provided by specific law.
Personal data processing by way of large-scale surveillance of publicly accessible areas – Under the Personal Data
Protection Act data controllers and data processors shall adopt internal rules for the processing of personal data
through systematic large-scale surveillance of publicly accessible areas, including via video surveillance. These rules
should put in place appropriate technical and organizational measures to ensure the protection of data subjects’
rights and freedoms. The Personal Data Protection Act provides a definition for ‘large-scale’ – a systematic
monitoring and / or processing of personal data of an unlimited number of data subjects. The rules for personal
data processing through large-scale surveillance of publicly accessible areas shall define the legal grounds and
objectives for the introduction of a monitoring system, the location, scope and means of monitoring / surveillance,
retention periods for the information records and their deletion, the right of review by the persons being subject
to surveillance, the means of informing the public about the monitoring carried out, as well as the restrictions on
granting access to such information to third parties. The minimum requirements for data controllers / data
processors with respect to the aforementioned obligations shall be published on the website of the Commission
for Personal Data Protection.
Processing of personal data of deceased persons
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 174 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
The Personal Data Protection Act stipulates, that when processing the personal data of deceased persons data controllers
shall have to take appropriate measures to prevent the rights and freedoms of others and the public interest from being
adversely affected. In such cases, the data controller may retain the data only if there is a legal basis therefor. In addition,
data controllers shall provide upon request access to the personal data of a deceased person, including a copy thereof, to
his / her heirs or other persons with legal interest.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, Korea, the United Kingdom, Eastern Republic of Uruguay
and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The
appropriate safeguards include among others binding corporate rules and standard contractual clauses. The EU – US Privacy Shield
Framework was invalidated by the European Court of Justice with the so called Schrems II Decision, thus it can no longer be used
by data controllers and processors as a mechanism for cross-border data transfers from the EU to the US. On 4 June 2021 the
European Commission adopted new set of standard contractual clauses for transfers outside the EU/EEA. Data controllers and
processors have term until 27 December 2022 to renegotiate their existing data processing agreements based on the old set of
standard contractual clauses in order to reflect the new clauses adopted by the European Commission.
The GDPR has removed the need which existed in some Member States under the previous law to notify and in some cases seek
prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding data transfer and does
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 175 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
not introduce any additional rules or requirements in this respect. Following the direct effect of the GDPR in all EU
member states, the provisions of the regulation relating to this matter shall be applied in all cases of data transfer.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding security of personal data
and does not introduce any additional rules or requirements in this respect.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding data breach notification
and does not introduce any additional rules or requirements in this respect. Following the direct effect of the GDPR in all
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 176 | | | www.dlapiperdataprotection.com
EU member states, the provisions of the regulation relating to this matter shall be observed. The Commission for
Personal Data Protection has recently adopted a template of data breach notification, which controllers may use. The
template is in Bulgarian language only.available online
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
https://www.dlapiperdataprotection.com
https://www.cpdp.bg/userfiles/file/Documents_2021/UVEDOMLENIE%20po%20chl_%2033%20GDPR
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 177 | | | www.dlapiperdataprotection.com
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
The functions of supervision and control of the compliance with the GDPR in Bulgaria are shared between the
Commission for Personal Data Protection and the Inspectorate to the Supreme Judicial Council, the latter having
competence only with regards to data processing by courts, prosecution offices and criminal investigative bodies in their
capacity as judicial authorities.
The competences of the Commission are further defined by reference to art. 57 and 58 of the GDPR. Apart from
performing the powers under the GDPR, the Commission is also entitled to:
analyze and carry out overall supervision and ensure compliance with the GDPR, the Personal Data Protection
Act and the legislative acts in the area of personal data protection;
issue secondary legislation in the area of personal data protection;
ensure the implementation of the decisions of the European Commission on the protection of personal data and
the implementation of binding decisions of the European Data Protection Supervisor
participate in international cooperation between data protection authorities and international organizations on
personal data protection issues;
participate in the negotiation and conclusion of bilateral or multilateral agreements on matters within its
competence;
organize, coordinate and conduct training in the field of personal data protection;
issue administrative acts related to its authority in the cases provided for by law;
adopt criteria for the accreditation of certification bodies;
bring proceedings before the court for breach of the GDPR;
issue mandatory instructions, give instructions and recommendations regarding the protection of personal data;
impose coercive administrative measures.
The internal Rules of Procedure of the Commission further clarify its tasks, procedures and rules for work of its
administration, as well as rules for the proceedings before the Commission.
The Personal Data Protection Act does not derogate from the provisions of the GDPR regarding administrative sanctions,
but directly refers to the amounts of fines and pecuniary sanctions set out by the GDPR and the respective criteria for
their determination. The Personal Data Protection Act specifies that all sanctions shall be imposed in the BGN equivalent
of the EUR amounts set by the GDPR.
For other violations under the Personal Data Protection Act the data controller / data processor shall be subject to a fine
or a pecuniary sanction of up to BGN 5000.
The Commission’s decisions are subject to appeal before the Administrative Court Sofia within 14 days of receipt.
Decisions of the Administrative Court are subject to appeal before the Supreme Administrative Court which decisions are
final.
In case of a violation of his / her rights under the GDPR and the Personal Data Protection Act, every data subject is
entitled to refer the matter to the Commission for Personal Data Protection within one year of becoming aware of the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 178 | | | www.dlapiperdataprotection.com
breach, but no later than five years from the breach taking place. In addition, data subjects shall be entitled to appeal the
actions and acts of the data controller / data processor directly before the administrative courts or the Supreme
Administrative Court, except where there are pending proceedings before the Commission for the same matter if a
decision regarding the same breach has been appealed and there is not yet a court decision in force. The transfer or
distribution of computer or system passwords which results in the illegitimate disclosure of personal data constitutes a
crime under the Bulgarian Criminal Code (promulgated in the State Gazette No. 26 of April 2, 1968, as amended
periodically) and the penalty for such a crime includes imprisonment for up to three years.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The Personal Data Protection Act does not introduce any rules relating specifically to e-marketing. As the legal grounds
for processing of personal data under the GDPR are also applicable in the area of e-marketing, the explicit consent of the
data subject is likely to be the most suitable ground for the purposes of e-marketing. In certain cases, such processing may
also be justified by legitimate interest – according to Recital 47 of the GDPR, direct marketing could be based on
legitimate interest, to the extent that: (i) it is targeted only to existing customers; and (ii) the customers can reasonably
expect to receive direct e-marketing communications. Still, the possibility to rely on legitimate interest for the purposes of
e-marketing would need to be assessed on a case-by-case basis.
In addition, although the repeal of the provision of the Personal Data Protection Act regulating the right of the data
subject to object to any data processing for the purposes of direct marketing and does not explicitly refer to the
respective provision of the GDPR, following the direct effect of the regulation, data subjects shall still be entitled to object
before the data controller or the data processor to their personal data being processed for the purposes of e-marketing.
The Bulgarian Electronic Communications Act explicitly requires, when it comes to direct marketing to natural persons,
the opt-in mechanic to be mandatorily applied. After the natural person’s consent is provided, the person shall always be
given the opportunity to opt out from the direct marketing network and refuse his / her personal data to be further
processed for such purposes.
ONLINE PRIVACY
Directive 2002/58 (E-Privacy Directive) is transposed into the Bulgarian Electronic Commerce Act. In 2011 the intention of the
legislator was to introduce the amendments of Art. 5(3) under Directive 2009/136. However, the final adopted text still replicates
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Bulgaria 179 | | | www.dlapiperdataprotection.com
the old wording before Directive 2009/136. The amendment itself was widely interpreted as implementing the text of Directive
2009/136 without, however, introducing the updated text.
Currently, instead of requiring the user’s consent, the relevant text in the Electronic Commerce Act states that users should be
provided with clear and comprehensive information in accordance with Art.13 of the GDPR and they must be given the
opportunity to refuse the storage or access to such information (i.e. opt-out regime).
KEY CONTACTS
Wolf Theiss
www.wolftheiss.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Anna Rizova
Partner
Wolf Theiss
T +359 2 8613703
anna.rizova@wolftheiss.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
https://www.dlapiperdataprotection.comwww.wolftheiss.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burkina Faso 180 | | | www.dlapiperdataprotection.com
BURKINA FASO
Last modified 10 January 2022
LAW
The data protection regime in Burkina Faso is governed by the following laws and regulations:
Law No. 001-2021 of March 30, 2021 on the protection of persons with regard to the processing of personal data.
Law 010-2004/AN on the protection of personal data.
Decree No. 2007-283/PRES/PM/MPDH of 18 May 2007 regarding the organisation and functioning of the Commission de
l’Informatique et des Libertés;
Decree No. 2007-757/PRES/PM/MPDH/MEF appointing the members of the Commission de I’Informatique et des Libertés
; and
Order No. 2008/001/CIL fixing the internal regulations of the Commission de I’Informatique et des Libertés.
The Burkina Faso has also adopted on 22 November 2013 the Marrakech resolution issued by the French-speaking association of
data protection authorities relating to the procedure for the supervision of personal data transfers of personal data in the
French-speaking world by means of binding corporate rules.
DEFINITIONS
Definition of Personal Data
Any information that allows, in any form whatsoever, directly, or indirectly, the identification of natural persons, in particular by
reference to an identification number or to several characteristics specific to their physical, psychological, mental, economic,
cultural or social identity (Article 5 of the Law).
Definition of Sensitive Personal Data
Any personal data relating to the data subject’s health or that reveal racial or ethnic origins, political, philosophical or religious
opinions, union membership, morals, investigation and prosecution of offenders, criminal or administrative penalties, related
security measures or other measures of a similar nature (Article 5 of the Law).
NATIONAL DATA PROTECTION AUTHORITY
The Burkina Faso’s data protection authority is the Commission de l’Informatique et des Libertés (‘ ‘). CIL
The CIL draws its membership from various segments of society. It is charged with:
making individual or regulatory decisions in cases provided for under the law
assisting with data processing inspections and obtaining all information and documents needed for its mission
issuing model rules to ensure security; and where appropriate, prescribing safety measures including the destruction of
information
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burkina Faso 181 | | | www.dlapiperdataprotection.com
issuing enforcement notices to data controllers and sharing with the prosecutor’s office the offenses of which the body is
aware
ensuring that the implementation of the right of access and rectification indicated in the acts and declarations do not
impede the free exercise of this law
receiving complaints and petitions
staying informed of the latest technological developments, and keeps abreast of their effects on the right to the protection
of privacy, the exercise of freedoms, and the functioning of democratic institutions
advising individuals and organisations that use automated processing, or who carry out tests or experiments likely to lead
to such processing
responding to requests for public opinion
proposing legislation or regulations to the Government to adapt the protection of freedoms to technological evolution
REGISTRATION
The is no country-wide system of registration in Burkina Faso. However, the law imposes an obligation of notification and annual
reporting to the National Data Protection Authority. These annual reports provide information on those responsible of personal
data’s activity throughout the concerned year.
DATA PROTECTION OFFICERS
We have not identified any obligation to appoint a data protection officer (‘ ‘) or any other equivalent role in the law.DPO
COLLECTION & PROCESSING
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. These
include:
consent and legitimacy: unless otherwise provided by law, data controllers are obligated to obtain consent from the
data subject
purpose: personal data can only be collected and processed for a specific and legitimate purpose
proportionality and relevance: personal data must only be processed in a relevant and necessary manner regarding
the purpose and objectives of the processing
lawfulness and fairness: data controllers must collect and process data in a fair, lawful, and not fraudulent manner
data retention: a specified period of time should be determined in advance depending on the purpose of processing to
ensure that personal data is not stored indefinitely.
security and confidentiality: all responsible persons for processing personal data must not only ensure the security of
data or files to prevent their destruction, or alteration; but also prevent unauthorised access to personal data contained in
a file or intended to form part of the files
preliminary formalities: without exception or exemption provided by law, all data controllers shall, depending on the
nature of personal data processing, namely notify the CIL or ask his opinion or obtain approval, etc.
Except where provided otherwise by the law, any processing of personal data shall be carried out with the express consent of the
data subject(s).
The processing of personal data can legally be carried out without the consent of the data subject(s), when it is necessary for:
the performance of a contract to which the data subject is a party; or
pre-contractual measures taken at the request of the data subject;
compliance with a legal obligation to which the controller is subject and when the processing is essential to protect the life
of the data subject or that of a third party;
the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of
health services, provided that it is carried out by a member of a health profession or by another person who, by reason of
his/her duties, is bound by professional secrecy;
the establishment of an offence, a right, or the exercise or defence of a right in a court of law and when the said
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burkina Faso 182 | | | www.dlapiperdataprotection.com
processing relates to data made public by the data subject.
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller. It may require inaccurate or incomplete personal data to be corrected
or completed without undue delay.
Data subjects may request erasure of their personal data. It has the right to object to processing on the legal basis of the
legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend
processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the
rights of the data subject.
Unless an authorisation is required, the law provides that controllers should notify all processing to the CIL. The following are
exempt from the notification requirement to CIL:
temporary copies that are made as part of the technical activities of transmission and provision of access to a digital
network for the purpose of automatic intermediate and transitory storage of data for the sole purpose of allowing other
recipients of the service the best possible access to the information;
processing carried out by a natural person for the exercise of exclusively personal or domestic activities;
disclosed to third parties and not used to support actions or decisions against an individual;
automated processing of personal data for the purpose of research in the field of health;
automated processing of personal data carried out on behalf of the State, a public institution, a local authority or a legal
person under private law managing a public service.
With respect to day-to-day processing of data which do not infringe on privacy or freedoms, the Law provides that the CIL
establishes and publishes ‘simplified norms,’ which shall include certain information, including:
the date of the declaration;
the full name and address or the name and headquarters of the person making the request and the person who has the
power to decide on the creation of the data processing (data controller) or, if he or she resides abroad, his or her
representative in Burkina Faso;
the characteristics, purpose and, if applicable, the name of the data processing operation;
the department or departments responsible for carrying out the processing;
the department to which the right of access is to be exercised and the measures taken to facilitate the exercise of this
right
the categories of persons who, by reason of their functions or for the needs of the service, have direct access to the
information recorded;
the personal information processed, its origin and the length of time it is kept, as well as the recipients or categories of
recipients authorized to receive this information;
the reconciliation, interconnection or any other form of linking of this information as well as its transfer to third parties;
the measures taken to ensure the security of data and information processing and the guarantee of secrets protected by
law;
if the data processing is intended for the dispatch of personal data between the territory of Burkina Faso and abroad in
any form whatsoever, including when it is the object of operations partially carried out on the territory of Burkina Faso
from operations previously carried out outside Burkina Faso.
When processing complies with a simplified norm issued by the CIL, no authorisation or notification is required, but only a
‘simplified declaration of conformity,’ to the said norm is required. The simplified declaration of conformity shall be sent to the
CIL. Unless otherwise decided by the CIL, a receipt is issued without delay after the simplified declaration of conformity has been
sent to the CIL. As from receiving this receipt, the applicant can start carrying out the processing.
Except in cases where they are to be authorised by law, automated processing of personal data carried out on behalf of the State,
or on behalf of any public institution, local authority, or on behalf of a private legal person operating a public service, must be
authorised by decree after the CIL’s approval. In the case of a negative opinion by the CIL, an appeal can be lodged to the
Administrative Supreme Court (Conseil d’Etat).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burkina Faso 183 | | | www.dlapiperdataprotection.com
TRANSFER
The provisions of the Law pertaining to international transfers are broadly drafted.
According to said provisions, international transfers cannot be made without the respect of the following conditions:
To request the authorisation of the CNIL;
To sign with the contracting party, a data confidentiality clause and a data reversibility clause in order to facilitate the
complete migration of the data at the end of the contract;
Implement technical and organisational security measures.
Additionally, the transfer can only be made to a foreign country or an international organisation if the beneficiary country or
international organisation ensures an adequate level of protection equal to the one ensured in Burkina Faso (Article 42 of the
law).
As a signatory to the Marrakech Resolution of 22 November 2013, Burkina Faso recognizes the application of the French-speaking
RCE, which consist in a code of conduct by which a group of companies defines its internal policy on the transfer of personal data.
The RCE are based and designed on the model of the European Commission’s binding corporate rules (‘ ‘). BCR
In practice, the RCE mechanism concerns the authorities of the AFAPDP member countries that have adopted the cooperation
protocol and the resolution on the framework for data transfers in the French-speaking area. These concerns at least the
following 13 countries: Albania, Andorra, Belgium, Benin, Burkina Faso, France, Gabon, Luxembourg, Mauritius, Morocco, Senegal,
Switzerland and Tunisia.
The RCE cover intra-group transfers of personal data carried out by a company established in an AFAPDP member country, to
other companies of the group, whether the latter are located in an AFAPDP member country or not.
SECURITY
The personal data Act is not prescriptive about specific technical standards or measures.
However, the Article 24 states that the data controller shall take all necessary measures in view of the nature of the data and the
architecture of the processing, in particular to prevent them from being distorted, damaged, lost, stolen or accessed by
unauthorised parties.
BREACH NOTIFICATION
Not applicable.
Mandatory breach notification
We have not identified, in the law, any general obligation to notify the data subject in the case of a security breach. However,
Article 21 of the law provides that in the event where ‘information has been transmitted by mistake to a third party, its
rectification or cancellation shall be notified to that third party, unless an exemption is granted by the control authority’ (i.e. the
CIL).
ENFORCEMENT
As of 14 December 2021, we have not identified any notable enforcement decision issued by the CIL pertaining to the law.
ELECTRONIC MARKETING
The personal data Act will apply to most electronic marketing activities, as these will involve some use of personal data (eg, an
email address which includes the recipient’s name).
The general rule for electronic marketing is that it requires the express consent of the recipient (see Article 49 of law No.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burkina Faso 184 | | | www.dlapiperdataprotection.com
045-2009/AN of November 10, 2009 regulating electronic services and transactions in Burkina Faso and Article 14 of the personal
data Act).
Even when a marketer has the consent of a data subject, that consent can be withdrawn by the data subject under Article 20 of
the Personal Data Act.
The data subject has the right to object at any time to the use of his/her personal data for such marketing.
This right to object must be explicitly brought to the attention of the data controller.
However, the data controller may not respond favourably to a request to exercise the right to object if it demonstrates the
existence of legitimate reasons justifying the processing, which override the interests, fundamental rights and freedoms of the data
subject.
ONLINE PRIVACY
The Law does not provide any specific rules governing cookies and location data.
However, pursuant to Article 10 of the data controller must implement all appropriate technical and organisational measures to
preserve the security and confidentiality of the data, including protecting the data against accidental or unlawful destruction,
accidental loss, alteration, distribution or access by unauthorised persons.
KEY CONTACTS
Geni & Kebe
www.dlapiperafrica.com/senegal
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dr. Sangare Mouhamoud
Associate
Geni & Kebe
T +2250779107541
m.sangare@gsklaw.sn
Dr. Francky Lukanda
Senior Associate
Geni & Kebe
T +2250584344660
f.lukanda@gsklaw.sn
https://www.dlapiperdataprotection.com
https://www.dlapiperafrica.com/senegal
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burundi 185 | | | www.dlapiperdataprotection.com
BURUNDI
Last modified 28 January 2019
LAW
Burundi does not have a law that specifically regulates personal data protection. However, several laws and regulations currently in
force contain data protection provisions or impose confidentiality obligations on specific types of personal information. For
example, employment, banking, telecommunications and health sector laws impose some data protection requirements. Such
provisions generally require covered entities to maintain the confidentiality of personal information.
Under Law n° 1/012 of May 30, 2018 on the Code of Health Care and Health Services Provision in Burundi, healthcare
institutions are required to maintain the confidentiality of patient information, unless confidentiality is waived in cases
provided for by law.
Law No. 1/17 of August 22, 2017 governing banking activities: Article 133 imposes confidentiality obligations on customer
and account information. This article provides that any person who contributes to the operation, control or supervision
of a banking institution is bound to professional secrecy. Violations are enforced under penal code provisions without
prejudice to disciplinary proceedings.
Several Ministerial Orders applicable to the telecommunications sector have been adopted to protect the privacy of and
restrict access to and interception of the contents of communications (Legislative Decree No. 100/153 of June 17, 2013
on the Regulation of the Control and Taxation System for International Telephone Communications entering Burundi;
Decree-Law No. 100/112 of April 5, 2012 on the Reorganization and Operation of the Telecommunications Regulatory
and Control Agency ‘ARCT’; Ministerial Ordinance No. 730/1056 of November 7, 2007 on the interconnection of
telecommunications networks and services opened to the public).
DEFINITIONS
Definition of personal data
Not specifically defined.
Definition of sensitive personal data
Not specifically defined.
NATIONAL DATA PROTECTION AUTHORITY
There is no national data protection authority in Burundi.
REGISTRATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Burundi 186 | | | www.dlapiperdataprotection.com
There is no requirement to register databases.
DATA PROTECTION OFFICERS
There is no requirement to appoint a data protection officer.
COLLECTION & PROCESSING
Most sector specific laws and regulations that impose confidentiality and data protection requirements apply to covered entities
under the law or regulation, and require such entities to maintain the confidentiality of personal information during processing.
TRANSFER
No geographic transfer restrictions apply in Burundi. Certain sector specific provisions require companies to obtain consent prior
to third party transfers of personal information. Notably, under Article 16 of Law n ° 1/012 of May 30, 2018 on the Code of
Health Care and Health Services Provision in Burundi, “every patient has the right to decide on the use of the medical information
concerning him and the conditions under which they may be transmitted to third parties.”
SECURITY
There are no specific data security requirements in Burundi.
BREACH NOTIFICATION
There are no breach notification requirements in Burundi.
ENFORCEMENT
The relevant sector specific agency or regulator is generally authorized to enforce violations of confidentiality requirements.
ELECTRONIC MARKETING
There are no specific electronic marketing requirements in Burundi.
ONLINE PRIVACY
There are no specific online privacy requirements in Burundi.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Claver Nigarura
Managing Partner
Rubeya & Co-Advocates
T +257 22 24 89 10
claver@rubeya.bi
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cambodia 187 | | | www.dlapiperdataprotection.com
CAMBODIA
Last modified 17 December 2021
LAW
Cambodia has not yet enacted any comprehensive data protection legislation.
The most recent update to the country’s data protection landscape has come in the form of the E-Commerce Law, which contains
provisions for the protection of consumer data that has been gathered over the course of electronic communications. The
E-Commerce Law is thereby restricted in scope to virtual and/or digital data protection.
Other matters pertaining to data protection typically fall under the right to privacy, which is protected in broad terms under the
Constitution of the Kingdom of Cambodia 2010, the Civil Code of Cambodia 2007, and the Criminal Code of the Kingdom of
Cambodia 2009.
DEFINITIONS
Definition of Personal Data
Cambodian law does not specifically define the term “personal data,” or discuss what specific information constitutes personal
data.
The E-commerce Law defines the term “data” as “a group of numbers, characters, symbols, messages, images, sounds, videos,
information or electronic programs that are prepared in a form suitable for use in a database or an electronic system”.
Due to the absence of a definition of “personal data”, it remains plausible that any data of a data subject may be viewed by the
regulatory and enforcement authorities as personal data of that data subject. Therefore, conventional data, such as full names,
national identification numbers, passport numbers, photographs, video, images, phone numbers, personal email addresses,
biometric data, IP addresses, and other network identifiers, etc., may arguably constitute personal data.
Definition of Sensitive Personal Data
There is no express definition of what constitutes sensitive personal data. That said, based on laws applicable to persons and
entities in other sectors (such as doctors and banks), the types of data below are generally considered to be of a more sensitive
nature, and thus should be handled with more stringent data protection mechanisms:
medical data
financial data
personal data of children, and
personal identifiers (e.g., national identification cards and passport details).
As there is no clear limit as to the scope of what may be considered sensitive data, any data of a data subject should be prudently
treated as sensitive data to the greatest extent possible.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cambodia 188 | | | www.dlapiperdataprotection.com
1.
2.
3.
4.
5.
6.
7.
NATIONAL DATA PROTECTION AUTHORITY
Since Cambodia does not have any dedicated laws on data protection, there are no regulatory or enforcement authorities that are
specifically tasked with handling, overseeing or implementing personal data protection matters in Cambodia.
That said, the following governmental bodies may have substantial powers over data protection matters:
the Ministry of Commerce (“ ”)MOC
the Ministry of Post and Telecommunications (“ ”), andMPTC
the Ministry of Interior (“ ”).MOI
REGISTRATION
Since Cambodia does not have any dedicated laws on data protection, there are no specific registration requirements for data
protection. However, “Electronic Commerce Service Providers” and “Intermediaries” (in an e-commerce context), who would
likely store, process and transfer the data of the data subjects, must register with the MOC and MPTC.
Under the E-Commerce Law, “Electronic Commerce Service Providers” are defined as persons who use electronic means to
supply goods and/or services, except insurance institutions, and an “Intermediary” is broadly defined as a person who provides
services of sending, receiving, transmitting or storing, either on a temporary or permanent basis, electronic communications, or
other services relating to electronic communications, including persons who represent the originators; persons providing means of
seeking any data in an electronic system; persons providing online marketing and online commercial services; and other persons as
specified under the E-Commerce Law.
DATA PROTECTION OFFICERS
Since Cambodia does not have any dedicated laws on data protection, there are no specific requirements in Cambodia to appoint
data protection officers who are specifically tasked with handling, overseeing or implementing data protection matters in
Cambodia.
COLLECTION & PROCESSING
As Cambodia has not enacted any dedicated or comprehensive data protection laws, there are no laws or regulations in Cambodia
that explicitly and specifically discuss the concept of collection and processing of data.
Based on Cambodia’s existing legal framework for data privacy, seven data protection obligations are either implied or explicitly
imposed. Those obligations are discussed below.
Consent Obligation: Obtain consent from the individual before collecting, using, or disclosing his/her personal data for a
purpose. Organizations should allow an individual who previously gave consent to withdraw his/her consent.
Purpose Limitation Obligation: Collect, use, or disclose personal data about an individual only for purposes that are
reasonable and that have been disclosed/notified to the individual concerned.
Disclosure/Notification Obligation: Disclose to or notify the individual of the purpose(s) for which the organization
intends to collect, use or disclose the individual’s personal data on or before such collection, use or disclosure of the
personal data. The purposes notified must be reasonable.
Correction Obligation: Correct any incorrect or inaccurate personal data of a data subject that is in the possession or
under the control of the organization upon request of the data subject.
Access Obligation: Allow data subjects to access their personal data in the possession or under the control of an
organization for correcting the information under the Correction Obligation.
Protection Obligation: Protect personal data in its possession or under its control by taking necessary measures to
prevent loss, unauthorized access, use, alteration, leak, disclosure, or otherwise.
Retention Obligation: Retain all personal data that is in its system, and that may give rise to civil and criminal liability.
TRANSFER
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cambodia 189 | | | www.dlapiperdataprotection.com
While Cambodian law does not explicitly prohibit an organization from transferring data, it implies a disclosure/notification
obligation under its existing legal framework for data protection. Personal data can only be collected, used, or disclosed for
purposes that the individual understands and has given consent to at the time of giving initial consent or a new consent. Such
purposes must be disclosed or notified to data subjects in a reasonable manner based on the circumstances.
Where the use and disclosure of the personal data is for a purpose different from that for which it was initially collected, it is
necessary to notify the individual of the new purpose and obtain a new consent unless:
the new purpose is within the scope of the original consent, or
implied consent can be established.
Implied consent refers to any act that is generally recognized as consent under applicable trade practices. However, it is
recommended that a new consent that is express and written be obtained once service providers use or disclose personal data for
a purpose different from that for which it was collected.
When a service provider is seeking consent from the data subject, the service provider must disclose or notify the data subjects of
the purpose(s) for which it intends to collect, use or disclose the data subjects’ personal data before such collection, use or
disclosure of the personal data. Cambodia’s laws related to data protection do not prescribe how an organization should notify
individuals. Organizations must determine what would be the most appropriate form of notification. The form of the
disclosure/notification to obtain each data subject’s consent should be as close to a formal contract as possible. Moreover,
requirements such as clicking on the consent button, typing a full legal name for the signature, and/or scrolling through all terms of
the disclosure/notification should be implemented. Furthermore, disclosures/notifications to the individuals regarding the purpose
of the collection, use, and disclosure of personal data must not be too vague or broad in scope; an appropriate level of specificity
should be provided.
Therefore, where the organization will be disclosing or transferring personal data to third parties, the organization should notify
the individuals of such disclosure or transfer. Any consent provided by the individual without first being disclosed or notified of the
purposes would not be valid.
SECURITY
Article 32 of the E-Commerce Law directly addresses matters of data protection in the course of electronic communication.
Service providers that electronically store consumers’ private information must take all reasonable security measures to avoid
loss, modification, leakage, and/or unauthorized disclosure of all consumer data. The E-Commerce Law notes, however, that
disclosures are allowable with the consent of authorities, or with the consent of the individual whose data is being disclosed. The
E-Commerce Law does not provide specific guidelines as to how or what mechanisms are required. It is simply required that any
measures could be used as long as they could reasonably protect the data from loss, or unauthorized access, use, alteration, or
disclosure without authorization or illegally.
The E-Commerce Law also prohibits any encryption of data that may be used as evidence for any accusation or offence. This
obligation potentially allows governmental authorities to order the decryption of data implicated in an investigation.
The E-Commerce Law also makes a blanket prohibition on certain forms of cybercrime, including interference with any electronic
system for the purpose of accessing, downloading, copying, extracting, leaking, deleting, or otherwise modifying any stored data in
bad faith or without authorized permission.
In case the service provider is not under the scope of the E-Commerce Law, the obligations under the laws of general application
that require consent of data subjects when collecting, using, disclosing, and processing data would imply that the service provider
still needs to protect data from any unauthorized acts.
BREACH NOTIFICATION
There is no breach notification requirement under Cambodian law.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cambodia 190 | | | www.dlapiperdataprotection.com
ENFORCEMENT
Since there are no regulatory or enforcement authorities that are specifically tasked with handling, overseeing or implementing
personal data protection matters in Cambodia, the enforcement of the data protection would generally fall under the auspice of
authorities across various sectors:
the Ministry of Commerce
the Ministry of Post and Telecommunications, and
the Ministry of Interior.
ELECTRONIC MARKETING
Since Cambodia does not have any dedicated laws on data protection, there are no special requirements when obtaining consent
for marketing purposes. The E-commerce Law suggests that it is not necessary to obtain consent from the individual to send
marketing communications as long as each marketing communication has clear and straightforward opt-out instructions and the
individual has not previously exercised his/her opt-out right. Electronic marketing in Cambodia is subject to the general laws
relating to digital marketing issues including:
Law on Consumer Protection, which prohibits “unfair practices” in relation to consumer transactions. Unfair practices
include unfair sales; bait advertising; unfair solicitation sales; demanding or accepting payments without intention to supply
goods or services per the purchase order; making a false claim or representation of some business activity; coercion by
force and mental threats; pyramid schemes; selling goods bearing a false trade description; and any other unfair practices.
Law Concerning Marks, Tradenames and Acts of Unfair Competition, is relevant to comparative advertising. The following
acts are considered acts of unfair competition: all acts that create confusion with the establishment, the goods, or the
industrial, commercial or service activities of a competitor; false allegations in the course of trade of such a nature as to
discredit the establishment, the goods, or the industrial, commercial or service activities of a competitor; and indications
or allegations of the use of marks which, in the course of trade, misleads the public as to the nature, manufacturing
process, characteristics, suitability for their purpose, or quantity of the goods.
Telecommunications Law, prohibiting all activities against the principles of fair, free, equal, and effective competition.
Other regulations on the Management of Advertisement on Website, Social Network, Mass Media and Mobile Phone
Operators.
ONLINE PRIVACY
As mentioned under , personal data can only be collected, used, or disclosed for purposes that the individual understandsTransfer
and has given consent to at the time of giving initial consent or a new consent. Such purposes must be disclosed or notified to data
subjects in a reasonable manner based on the circumstances. That said, any personal data, including location data, can only be
collected and shared online through website cookies after the organization obtains consent from the data subject.
For obtaining consent from the data subject, please refer to the .Transfer section
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/cambodia/transfer.html
https://www.dlapiperdataprotection.com/countries/cambodia/transfer.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cambodia 191 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Jay Cohen
Partner and Director of Cambodian Office
Tilleke & Gibbins (Cambodia) Ltd
T (+855) 17 87 57 238
jay.c@tilleke.com
Sochanmalisphoung Vannavuth
Associate
Tilleke & Gibbins (Cambodia) Ltd
T (+855) 10 61 65 91
sochanmalisphoung.v@tilleke.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 192 | | | www.dlapiperdataprotection.com
CANADA
Last modified 24 January 2022
LAW
In Canada there are 28 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under
other legislation, federal anti-spam legislation, criminal code provisions etc.) that govern the protection of personal information in
the private, public and health sectors. Although each statute varies in scope, substantive requirements, remedies and enforcement
provisions, they all set out a comprehensive regime for the collection, use and disclosure of personal information.
The summary below focuses on Canada’s private sector privacy statutes:
Personal Information Protection and Electronic Documents Act (‘PIPEDA’)
Personal Information Protection Act (Alberta) (‘PIPA Alberta’)
Personal Information Protection Act (British Columbia) (‘PIPA BC’)
An Act Respecting the Protection of Personal Information in the Private Sector (‘Quebec Privacy Act’), (collectively,
‘Canadian Privacy Statutes’)
We expect PIPEDA to be significantly amended or replaced by a new federal statute sometime during this session of Parliament
(before October 2025). In the previous session of Parliament, the federal government introduced Bill C-11, which would have
replaced PIPEDA with the Consumer Privacy Protection Act (‘CPPA’). The CPPA made it to second reading, but died on the
order paper when the 2021 Federal Election was called. The CPPA would have provided additional rights to data subjects (e.g.
portability of data), expanded the requirements for valid data subject consent, and set out new monetary penalties of up to 5% of
annual global revenue. Bill C-11 faced significant debate, but we expect a new version of the bill to be introduced at some point
during this session of Parliament as the Federal Government seeks to align Canadian privacy law with that of California and the
European Union.
PIPEDA applies to all of the following:
Consumer and employee personal information practices of organizations that are deemed to be a ‘federal work,
undertaking or business’ ( , banks, telecommunications companies, airlines, railways, and other interprovincialeg
undertakings)
Organizations who collect, use and disclose personal information in the course of a commercial activity which takes place
within a province, unless the province has enacted ‘substantially similar’ legislation (PIPA BC, PIPA Alberta and the Quebec
Privacy Act have been deemed ‘substantially similar’)
Inter provincial and international collection, use and disclosure of personal information in connection with commercial
activity
PIPA BC, PIPA Alberta and the Quebec Privacy Act apply to both consumer and employee personal information practices of
organizations within BC, Alberta and Quebec, respectively, that are not otherwise governed by PIPEDA.
The province of Quebec recently enacted a major reform of its privacy legislation with the adoption of Bill 64. Bill 64 received
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 193 | | | www.dlapiperdataprotection.com
Royal Assent on September 22, 2021, and its various provisions will be coming into force gradually between 2022 and 2024. With
Bill 64’s changes, Quebec now has a modern legal framework for privacy that resembles the European GDPR in several key areas.
DEFINITIONS
Definition of personal data
‘Personal information’ includes any information about an identifiable individual (business contact information is expressly “carved
out” of the definition of ‘personal information’ in some Canadian privacy statutes).
The Quebec Privacy Act, as modified by Bill 64, has broadened the definition of “personal information” to include any information
that allows an individual to be identified indirectly as well as directly.
Definition of sensitive personal data
Not specifically defined in Canadian Privacy Statutes, except for the Quebec Privacy Act.
The Quebec Privacy Act, as modified by Bill 64, defines “sensitive personal information” as any information that, by virtue of its
nature (e.g. biometric or medical), or because of the context in which it is used or communicated, warrants a high expectation of
privacy. The Quebec Privacy Act has stricter consent requirements in certain situations for the use and communication of
personal information qualified as sensitive.
Definition of anonymized information
The Quebec Privacy Act, as modified by Bill 64, defines “de-personalized information” as any information which no longer allows
the concerned individual to be identified directly.
Definition of biometric information
The Quebec CAI defines “biometric information” as information measured from a person’s unique physical, behavioural or
biological characteristics.
NATIONAL DATA PROTECTION AUTHORITY
In Canada there are 28 federal, provincial and territorial privacy statutes (excluding statutory torts, privacy requirements under
other legislation, federal anti-spam legislation, criminal code provisions etc.) that govern the protection of personal information in
the private, public and health sectors. Although each statute varies in scope, substantive requirements, remedies and
enforcement provisions, they all set out a comprehensive regime for the collection, use and disclosure of personal information.
The summary below focuses on Canada’s private sector privacy statutes:
Personal Information Protection and Electronic Documents Act (‘PIPEDA’)
Personal Information Protection Act (Alberta) (‘PIPA Alberta’)
Personal Information Protection Act (British Columbia) (‘PIPA BC’)
An Act Respecting the Protection of Personal Information in the Private Sector (‘Quebec Privacy Act’), (collectively,
‘Canadian Privacy Statutes’)
We expect PIPEDA to be significantly amended or replaced by a new federal statute sometime during this session of Parliament
(before October 2025). In the previous session of Parliament, the federal government introduced Bill C-11, which would have
replaced PIPEDA with the Consumer Privacy Protection Act (‘CPPA’). The CPPA made it to second reading, but died on the
order paper when the 2021 Federal Election was called. The CPPA would have provided additional rights to data subjects (e.g.
portability of data), expanded the requirements for valid data subject consent, and set out new monetary penalties of up to 5% of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 194 | | | www.dlapiperdataprotection.com
annual global revenue. Bill C-11 faced significant debate, but we expect a new version of the bill to be introduced at some point
during this session of Parliament as the Federal Government seeks to align Canadian privacy law with that of California and the
European Union.
PIPEDA applies to all of the following:
Consumer and employee personal information practices of organizations that are deemed to be a ‘federal work,
undertaking or business’ (e.g. banks, telecommunications companies, airlines, railways, and other interprovincial
undertakings)
Organizations who collect, use and disclose personal information in the course of a commercial activity which takes place
within a province, unless the province has enacted ‘substantially similar’ legislation (PIPA BC, PIPA Alberta and the Quebec
Privacy Act have been deemed ‘substantially similar’)
Inter provincial and international collection, use and disclosure of personal information in connection with commercial
activity
PIPA BC, PIPA Alberta and the Quebec Privacy Act apply to both consumer and employee personal information practices of
organizations within BC, Alberta and Quebec, respectively, that are not otherwise governed by PIPEDA.
The province of Quebec recently enacted a major reform of its privacy legislation with the adoption of Bill 64. Bill 64 received
Royal Assent on September 22, 2021, and its various provisions will be coming into force gradually between 2022 and 2024. With
Bill 64’s changes, Quebec now has a modern legal framework for privacy that resembles the European GDPR in several key areas.
REGISTRATION
There is no general registration requirement under Canadian Privacy Statutes.
Some registration requirements exist under Quebec privacy laws:
Personal information agents, defined as “any person who, on a commercial basis, personally or through a representative,
establishes files on other persons and prepares and communicates to third parties credit reports”, must be registered with
the CAI
Databases of biometric information must be disclosed to and registered with the CAI
DATA PROTECTION OFFICERS
PIPEDA, PIPA Alberta, and PIPA BC expressly require organizations to appoint an individual responsible for compliance with the
obligations under the respective statutes.
Starting September 22, 2023, the Quebec Privacy Act, as modified by Bill 64, will require organizations to appoint a person
responsible for the protection of personal information, who is in charge of ensuring compliance with privacy laws within the
organization. By default, the person with the highest authority within the organization will be the person responsible for the
protection of personal information, however this function can be delegated to any person, including a person outside of the
organization.
This person’s responsibilities are broadly defined in the law and include:
Approval of the organization’s privacy policy and practices
Mandatory privacy assessments
Responding to and reporting security breaches, and
Responding to and enacting access and rectification rights
The contact information of the person responsible for the protection of personal information must be published online on the
website of the organization.
COLLECTION & PROCESSING
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 195 | | | www.dlapiperdataprotection.com
Canadian Privacy Statutes set out the overriding obligation that organizations only collect, use and disclose personal information
for purposes that a reasonable person would consider appropriate in the circumstances.
Subject to certain limited exceptions prescribed in the Acts, consent is required for the collection, use and disclosure of personal
information. Depending on the sensitivity of the personal information, consent may be opt in or opt out. Under the Quebec
Privacy Act, consent must be “manifest, free, and enlightened”, and implicit or opt-out consent is generally not considered valid.
Organizations must limit the collection of personal information to that which is necessary to fulfil the identified purposes and only
retain such personal information for as long as necessary to fulfil the purposes for which it was collected.
Each of the Canadian Privacy Statutes have both notice and openness/transparency requirements. With respect to notice,
organizations are generally required to identify the purposes for which personal information is collected at or before the time the
information is collected. With respect to openness/transparency, generally Canadian Privacy Statutes require organizations make
information about their personal information practices readily available.
All Canadian Privacy Statutes contain obligations on organizations to ensure personal information in their records is accurate and
complete, particularly where the information is used to make a decision about the individual to whom the information relates or if
the information is likely to be disclosed to another organization.
Each of the Canadian Privacy Statutes also provides individuals with the following:
A right of access to personal information held by an organization, subject to limited exceptions;
A right to correct inaccuracies in/update their personal information records; and
A right to withdraw consent to the use or communication of personal information.
In addition to these rights, the Quebec Privacy Act, as modified by Bill 64, will create a right for individuals to have their personal
information deindexed (coming into force September 2023) and to data portability (coming into force September 2024).
Finally, organizations must have policies and practices in place that give effect to the requirements of the legislation and
organizations must ensure that their employees are made aware of and trained with respect to such policies.
TRANSFER
When an organization transfers personal information to a third party service provider ( , who acts on behalf of the transferringie
organization — although Canadian legislation does not use these terms, the transferring organization would be the “controller” in
GDPR parlance, and the service provider would be a “processor”), the transferring organization remains accountable for the
protection of that personal information and ensuring compliance with the applicable legislation, using contractual or other means.
In particular, the transferring organization is responsible for ensuring (again, using contractual or other means) that the third party
service provider appropriately safeguards the data, and would also be required under the notice and openness/transparency
provisions to reference the use of third party service providers in and outside of Canada in their privacy policies and procedures.
These concepts apply whether the party receiving the personal information is inside or outside Canada. Transferring personal
information outside of Canada for storage or processing is generally permitted so long as the requirements discussed above are
addressed, and the transferring party notifies individuals that their information may be transferred outside of Canada and may be
subject to access by foreign governments, courts, law enforcement or regulatory agencies. This notice is typically provided
through the transferring party’s privacy policies.
With respect to the use of foreign service providers, PIPA Alberta specifically requires a transferring organization to include the
following information in its privacy policies and procedures:
The countries outside Canada in which the collection, use, disclosure or storage is occurring or may occur, and
The purposes for which the third party service provider outside Canada has been authorized to collect, use or disclose
personal information for or on behalf of the organization
Under PIPA Alberta, specific notice must also be provided at the time of collection or transfer of the personal information and
must specify:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 196 | | | www.dlapiperdataprotection.com
The way in which the individual may obtain access to written information about the organization’s policies and practices
with respect to service providers outside Canada, and
The name or position name or title of a person who is able to answer on behalf of the organization the individual’s
questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for
or on behalf of the organization.
In addition, under the Quebec Privacy Act, an organization must take reasonable steps to ensure that personal information
transferred to service providers outside Quebec will not be used for other purposes and will not be communicated to third
parties without consent (except under certain exceptions prescribed in the Act). The Quebec Privacy Act also specifically provides
that the organization must refuse to transfer personal information outside Quebec where it does not believe that the information
will receive such protection.
Starting September 22, 2023, the Quebec Privacy Act, as modified by Bill 64, will require all organizations, before transferring
personal information outside of the province of Quebec, to conduct data privacy assessments and enact appropriate contractual
safeguards to ensure that the information will benefit from adequate protection in the jurisdiction of transfer. These assessments
must take into account the sensitivity of the information, the purposes, the level of protection (contractual or otherwise) and the
applicable privacy regime of the jurisdiction of transfer. Quebec has decided not to implement a system of adequacy decisions, and
therefore assessments will likely be required prior to any cross-jurisdiction transfer.
SECURITY
Each of the Canadian Privacy Statutes contains safeguarding provisions designed to protect personal information. In essence, these
provisions require organizations to take reasonable technical, physical and administrative measures to protect personal
information against loss or theft, unauthorized access, disclosure, copying, use, modification or destruction. These laws do not
generally mandate specific technical requirements for the safeguarding of personal information.
BREACH NOTIFICATION
Currently, PIPEDA and PIPA Alberta are the only Canadian Privacy Statutes with breach notification requirements. Bill 64 added
breach notification requirements to the Quebec Privacy Act, which will come into force on September 22, 2022.
In Alberta, an organization having personal information under its control must, without unreasonable delay, provide notice to the
Commissioner of any incident involving the loss of or unauthorized access to or disclosure of personal information where a
reasonable person would consider that there exists a real risk of significant harm to an individual as a result.
Notification to the Commissioner must be in writing and include:
A description of the circumstances of the loss or unauthorized access or disclosure
The date or time period during which the loss or unauthorized access or disclosure occurred
A description of the personal information involved in the loss or unauthorized access or disclosure
An assessment of the risk of harm to individuals as a result of the loss or unauthorized access or disclosure
An estimate of the number of individuals to whom there is a real risk of significant harm as a result of the loss or
unauthorized access or disclosure
A description of any steps the organization has taken to reduce the risk of harm to individuals
A description of any steps the organization has taken to notify individuals of the loss or unauthorized access or disclosure,
and
The name and contact information for a person who can answer, on behalf of the organization, the Commissioner’s
questions about the loss of unauthorized access or disclosure
Where an organization suffers a loss of or unauthorized access to or disclosure of personal information as to which the
organization is required to provide notice to the Commissioner, the Commissioner may require the organization to notify the
individuals to whom there is a real risk of significant harm. This notification must be given directly to the individual (unless
specified otherwise by the Commissioner) and include:
A description of the circumstances of the loss or unauthorized access or disclosure
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 197 | | | www.dlapiperdataprotection.com
The date on which or time period during which the loss or unauthorized access or disclosure occurred
A description of the personal information involved in the loss or unauthorized access or disclosure
A description of any steps the organization has taken to reduce the risk of harm, and
Contact information for a person who can answer, on behalf of the organization, questions about the loss or unauthorized
access or disclosure
The breach notification provisions under PIPEDA are very similar to the breach notification provisions under PIPA Alberta. The
main difference is that PIPEDA requires organizations to notify both the affected individuals and the federal regulator if the breach
creates a real risk of significant harm to the individuals (whereas PIPA Alberta requires the initial notice only to the regulator, and
then to the individuals if the regulator requires it. In practice, many organizations notify affected Albertans regardless of whether
the Alberta Commissioner requires (and the Commissioner typically does require it for most reported breaches in any event).
Further, under PIPEDA, organizations must also keep a record of ALL information security breaches, even those which do not
meet the risk threshold of a “real risk of significant harm.”
The new Quebec Privacy Act, as modified by Bill 64, will introduce a number of new obligations in connection with “confidentiality
incidents”, which are defined as unauthorized access, use, or communication of personal information, or the loss of such
information. These include:
A general obligation to prevent and remedy security incidents
The obligation to notify the CAI and the person affected whenever the incident presents a risk of “serious injury.” Factors
to consider when evaluating the risk of serious injury include the sensitivity of the information concerned, the anticipated
consequences of the use of the information and the likelihood that the information will be used for harmful purposes, and
The obligation on to keep a register of security incidents, with the CAI having extensive audit rights for the CAI
ENFORCEMENT
Privacy regulatory authorities have an obligation to investigate complaints, as well as the authority to initiate complaints.
Under PIPEDA, a complaint must be investigated by the Commissioner and a report will be prepared that includes the
Commissioner’s findings and recommendations. A complainant (but not the organisation subject to the complaint) may apply to
the Federal Court for a review of the findings and the court has authority to, among other things, order an organisation to correct
its practices and award damages to the complainant, including damages for any humiliation that the complainant has suffered.
Under PIPA Alberta and PIPA BC, an investigation may be elevated to a formal inquiry by the Commissioner resulting in an order.
Organisations are required to comply with the order within a prescribed time period, or apply for judicial review. In both BC and
Alberta, once an order is final, an affected individual has a cause of action against the organization for damages for loss or injury
that the individual has suffered as a result of the breach.
In Alberta and BC, a person that commits an offence may be subject to a fine of not more than CA$100,000. Offences include,
among other things, collecting, using and disclosing personal information in contravention of the Act (in Alberta only), disposing of
personal information to evade an access request, obstructing the commissioner, and failing to comply with an order.
Similarly, under the Quebec Privacy Act, an order must be complied with within a prescribed time period. An individual may
appeal to the judge of the Court of Quebec on questions of law or jurisdiction with respect to a final decision.
A failure to comply with the Quebec Privacy Act’s requirements (as currently applicable) in respect of the collection, storage,
communication or use of personal information is liable to a fine of up to CA$10,000 and, for a subsequent offence, to a fine up to
CA$20,000. Any one who hampers an inquiry or inspection by communicating false or inaccurate information or otherwise is
liable to a fine of up to CA$10,000 and, for a subsequent offence, to a fine of up to CA$20,000.
Starting September 22, 2023, the new Quebec Privacy Act, as modified by Bill 64, will introduce much more severe penalties. The
maximum penalties will range between CAD 5,000$ and CAD 100,000$ in the case of individuals, and up to between CA$15,000$
and CA$25 million or 4% of worldwide income for the previous fiscal year for organizations.
There are also statutory privacy torts in various provinces under separate legislation, and Ontario courts have recognized a
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 198 | | | www.dlapiperdataprotection.com
common-law cause of action for certain privacy torts. Organizations may face litigation (including class action litigation) under
these statutory and common-law torts, in addition to any enforcement or claims under Canadian Privacy Statutes.
ELECTRONIC MARKETING
Electronic marketing is governed by both Canadian Privacy Statutes (as discussed above), as well as Canada’s Anti-Spam Legislation
(CASL).
Under CASL it is prohibited to send, or cause or permit to be sent, a commercial electronic message (defined broadly to include
text, sound, voice, or image messages aimed at encouraging participation in a commercial activity) unless the recipient has
provided express or implied consent and the message complies with the prescribed content and unsubscribe requirements
(subject to limited exceptions).
What constitutes both permissible express and implied consent is defined in the Act and regulations. For example, an organization
may be able to rely on implied consent when there is an existing business relationship with the recipient of the message, based on:
A purchase by the recipient within the past two years, or
A contract between the organization and the recipient currently in existence or which expired within the past two years
CASL also prohibits the installation of a computer program on any other person’s computer system, or having installed such a
computer program to cause any electronic messages to be sent from that computer system, without express consent, if the
relevant system or sender is located in Canada. In addition, the Act contains anti phishing provisions that prohibit (without
express consent) the alteration of transmission data in an electronic message such that the message is delivered to a destination
other than (or in addition to) that specified by the sender.
CASL also introduced amendments to PIPEDA that restrict ‘address harvesting’, or the unauthorized collection of email addresses
through automated means (i.e., using a computer program designed to generate or search for, and collect, email addresses)
without consent. The use of an individual’s email address collected through address harvesting also is restricted.
The ‘Competition Act’ was also amended to make it an offence to provide false or misleading representations in the sender
information, subject matter information, or content of an electronic message.
CASL contains potentially stiff penalties, including administrative penalties of up to CA$1 million per violation for individuals and
CA$10 million for corporations (subject to a due diligence defense). CASL also sets forth a private right of action permitting
individuals to bring a civil action for alleged violations of CASL (CA$200 for each contravention up to a maximum of CA$1 million
each day for a violation of the provisions addressing unsolicited electronic messages). However, the private right of action is not
yet in force, and there is currently little expectation that it will ever come into force.
ONLINE PRIVACY
Online privacy is governed by Canadian Privacy Statutes (discussed above). In general, Canadian privacy regulatory authorities have
been active in addressing online privacy concerns.
For example, in the context of social media, the OPC has released numerous Reports of Findings addressing issues including:
Default privacy settings
Social plug-ins
Identity authentication practices
The collection, use and disclosure of personal information on social networking sites. The OPC has also released decisions
and guidance on privacy in the context of Mobile Apps
In addition, the OPC has released findings and guidelines related to the use of cookies and online behavioral advertising, including
findings indicating that information stored by temporary and persistent cookies is considered to be personal information and
therefore subject to PIPEDA. The OPC has adopted the same position with respect to information collected in connection with
online behavioral advertising.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Canada 199 | | | www.dlapiperdataprotection.com
In ‘Privacy and Online Behavioral Advertising’ (the ‘OBA Guidelines’), the OPC stated that it may be permissible to utilize opt-out
consent in the context of online behavioral advertising if the following conditions are met:
Individuals are made aware of the purposes for the online behavioral advertising, at or before the time of collection, in a
manner that is clear and understandable
Individuals are informed of the various parties involved in the online behavioral advertising at or before the time of
collection
Individuals are able to opt-out of the practice and the opt-out takes effect immediately and is persistent
The information collected is non-sensitive in nature ( , not health or financial information), andie
The information is destroyed or made de-identifiable as soon as possible
The OPC has indicated that online behavioral advertising must not be a condition of service and, as a best practice, should not be
used on websites directed at children.
With respect to location data, such information, whether tied to a static location or a mobile device, is considered to be personal
information by Canadian privacy regulatory authorities. As such, any collection, use or disclosure of location data requires, among
other things, appropriate notice and consent. Most of the privacy regulatory authority decisions related to location data have
arisen with respect to the use of GPS in the employment context.
The Canadian privacy regulatory authorities provide the following test that must be met for the collection of GPS data (and other
types of monitoring and surveillance activities):
Is the data demonstrably necessary to meet a specific need?
Will the data likely be effective in meeting that need?
Is the loss of privacy proportional to the benefit gained?
Are there less privacy-intrusive alternatives to achieve the same objective?
Bill 64 has introduced several changes to the Quebec Privacy Act that will are likely to have significant impacts on online privacy.
Starting September 22, 2023, organizations collecting personal information by offering a product or service with privacy
parameters must ensure that the highest privacy settings are enabled by default. Additionally, organizations collecting personal
information from persons using tracking, localization or profiling technology will have the obligation to inform the person in
advance of the use of such technologies, and to inform the person of the method for activating such functions. The use of such
technologies will be opt-in only. “Profiling” is broadly defined as the collection and use of personal information in order to
evaluate certain characteristics of a person such as workplace performance, economic or financial situation, health, personal
preferences or interest, or behaviour.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Tamara Hunter
Associate Counsel
T +1 604.643.2952
tamara.hunter@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cape Verde 200 | | | www.dlapiperdataprotection.com
CAPE VERDE
Last modified 8 January 2022
LAW
Data Protection Law (Law 133/V/2001 (as amended by Law 41/VIII/2013, Law 121/IX/2021 of 17 March 2021) and Law
132/V/2001, of 22 January 2001.
DEFINITIONS
Definition of personal data
Personal data is defined as any information, regardless of its nature or the media on which it is stored, relating to an identifiable
natural person (referred to as ‘the data subject’). Natural persons are deemed to be identifiable whenever they can be directly or
indirectly identified through such information.
Definition of sensitive personal data
Sensitive data is defined as personal data that refers to a person’s:
philosophical or political convictions
party or union affiliation
religious faith
private life
ethnic origin
health
sex life
genetic information and biometric data.
NATIONAL DATA PROTECTION AUTHORITY
The national data protection authority in Cape Verde is the (‘data protectionComissão Nacional de Proteção de Dados Pessoais
authority’).
REGISTRATION
Pursuant to the Data Protection Law, before starting the processing of personal data (and considering the specific categories of
personal data), prior authorization or registration with the data protection authority is required.
Specific prior written registration (ie authorization) granted by the data protection authority is necessary in the following cases:
the processing of sensitive data (except in certain specific cases eg if the processing relates to data which is manifestly
made public by the data subject, provided his consent for such processing can be clearly inferred from his/her statements)
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cape Verde 201 | | | www.dlapiperdataprotection.com
and only in cases where the data subject has given his/her consent to the use of such data
the processing of data in relation to creditworthiness or solvency
the interconnection of personal data
the use of personal data for purposes other than those for which it was initially collected.
DATA PROTECTION OFFICERS
The appointment of a data protection officer is mandatory when:
processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
the core activities of the controller or the processor consist of processing operations which, by virtue of their nature,
their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
the core activities of the controller or the processor consist of processing on a large scale of special categories of data
pursuant to Article 8 (sensitive data) or personal data relating to criminal convictions and offences referred to in Article
11 (criminal convictions and offences).
COLLECTION & PROCESSING
The collection and processing of personal data is subject to the rules laid down in the Data Protection Law. As a general note,
personal data processing operations may only be undertaken once one of the following requirements are met:
lawfulness;
consent;
performance of a contract;
legitimate interests, public interests, vital interests of data subject or legal duty.
Moreover, as previously stated, there are some cases (referred to above) in which the collection and processing of personal data
is subject to prior authorization from the data protection authority.
TRANSFER
The Data Protection Law stipulates that the international transfer of personal data is only permitted if the recipient country is
considered to have a sufficient level of protection in respect of personal data processing.
The sufficient level of protection for foreign countries is defined by the data protection authority.
As a general rule, the transfer of personal data to countries that do not provide for an adequate level of protection of personal
data can only be permitted if the data subject has given his consent or in some specific situations, namely if the transfer:
is necessary for the performance of an agreement between the data subject and the controller or the implementation of
precontractual measures taken in response to the data subject’s request
is necessary for the performance or execution of a contract entered into or to be entered into in the interest of the data
subject between the controller and a third party
is necessary in order to protect the vital interests of the data subject
is made from a register which according to laws or regulations is intended to provide information to the public and which
is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, provided
the conditions laid down in law for consultation are fulfilled in the particular case.
SECURITY
The Cape Verdean Data Protection Law stipulates that data controllers must implement technical and organizational measures so
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cape Verde 202 | | | www.dlapiperdataprotection.com
as to ensure the confidentiality and security of the personal data processed. Such obligations must also be contractually enforced
by the data controller against the data processor. Moreover, certain specific security measures must be adopted regarding certain
types of personal data and purposes (notably, sensitive data, call recording, video surveillance etc.).
BREACH NOTIFICATION
There a duty to notify CNPD in case of a data breach no later than 72 hours after becoming aware of the same, unless it is
considered that such breach does not pose a risk to the rights, freedoms and warranties of the data subjects.
ENFORCEMENT
Enforcement of the Data Protection Law is done by the data protection authority – CNPD.
Moreover, the Data Protection Law sets out criminal and civil liability as well as additional sanctions for breaches of the provisions
of said statute.
Civil Liability
Any person who has suffered pecuniary or non-pecuniary loss as a result of any inappropriate use of personal data has the right to
bring a civil claim against the relevant party. Criminal Liability The DPL provides that all of the following constitute criminal
offences:
a failure to notify or to obtain the authorization of the DPA prior to commencing data processing operations that require
such authorization
provision of false information in requests for authorization or notification
misuse of personal data (ie processing personal data for different purposes than those for which the notification /
authorization was granted)
the interconnection of personal data without the authorization of the DPA
unlawful access to personal data
a failure to comply with a request to stop processing personal data.
These offences are punishable with a term of imprisonment of up to 2 years or a fine of up to 240 days.
Additional Sanctions
The DPL also lays down sanctions that can be imposed in addition to criminal and civil liability, namely:
a temporary or permanent prohibition on processing data
the advertisement of a sentence applied to a specific case
a public warning or reproach of a data controller.
ELECTRONIC MARKETING
Law 132/V/2001 provides an opt-in right for direct marketing communications. Moreover, both Law 132/V/2001 and the Data
Protection Law grant data subjects the right to object to unsolicited communications, at his/her request and free of any costs, to
any data processing in relation to marketing activities.
ONLINE PRIVACY
Law 132/V/2001 lays down the legal framework for data protection in the telecommunications sector. Special rules include the
following:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cape Verde 203 | | | www.dlapiperdataprotection.com
any personal data obtained through phone calls performed by public operators or telecommunication public service
providers must be erased or made anonymous after the phone call has ended
traffic data can only be processed for billing, customer information or support, fraud prevention and the selling of
telecommunication services.
KEY CONTACTS
Costa Cunha Gonçalves & Associados
www.mirandalawfirm.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
António Gonçalves
Partner
Costa Cunha Gonçalves & Associados
antonio.goncalves@ccg.cv
https://www.dlapiperdataprotection.com
http://www.mirandalawfirm.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cayman Islands 204 | | | www.dlapiperdataprotection.com
CAYMAN ISLANDS
Last modified 24 January 2022
LAW
The Data Protection Act (2021 revision) ( ) is a Cayman Islands law, which first came into force on 30 September 2019. TheDPA
DPL introduced the first legislative framework on data protection in the Cayman Islands.
Application
The application of the DPA turns on whether an organization is established in the Cayman Islands or has personal data processed
in the Cayman Islands. Specifically, the DPA applies to a data controller in respect of personal data only if:
the data controller is established in the Cayman Islands and the personal data are processed in the context of that
establishment; or
the data controller is not established in the Cayman Islands, but the personal data are processed in the Cayman Islands
other than for the purposes of transit of the data through the Cayman Islands.
For these purposes, ‘ ‘ means:established in the Cayman Islands
a body incorporated, or a partnership or other unincorporated association formed, under the laws of the Cayman Islands;
a body registered as a foreign company under the laws of the Cayman Islands;
an individual who is ordinarily resident in the Cayman Islands; or
any other person who maintains (i) an office, branch or agency in the Cayman Islands through which the person carries on
any activity; or (ii) a regular practice in the Cayman Islands.
A data controller not established in the Cayman Islands that processes personal data in the Cayman Islands is required to appoint
a local representative established in the Cayman Islands who, for all purposes within the Cayman Islands, is the data controller and
bears all obligations under the DPA as if it were the data controller.
DEFINITIONS
The DPA defines ‘ ‘ as data relating to a living individual who can be identified, including data such as:personal data
the living individual’s location data or online identifier;
factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual;
an expression of opinion about the living individual; and
any indications of the intentions of the data controller or any other person in respect of the living individual.
The DPA creates more restrictive rules for the processing of ‘ ‘, which includes personal data consistingsensitive personal data
of a data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, physical or
mental health or condition, medical data, sex life or commission or alleged commission of an offence or related proceedings.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cayman Islands 205 | | | www.dlapiperdataprotection.com
Under the DPA the ‘ ‘ of personal data has an extremely broad meaning and includes obtaining, recording or holdingprocessing
data, or carrying out any operation on personal data.
Personal data may be processed by either a or a . The data controller is the decision maker, data controller data processor
the person who ‘alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be,
‘. The data processor ‘ ‘. The obligations under the DPA are imposedprocessed processes personal data on behalf of a data controller
almost exclusively on the data controller.
A ‘ ‘ is an identified living individual or a living individual who can be identified directly or indirectly by meansdata subject
reasonably likely to be used by the data controller or by any other person.
NATIONAL DATA PROTECTION AUTHORITY
The supervisory authority under the DPA is the Office of the Ombudsman of the Cayman Islands (the ), who hasOmbudsman
issued detailed guidance on the DPA, accessible on the Ombudsman’s website at .https://ombudsman.ky/data-protection
The Ombudsman’s contact details are as follows:
Office of the Ombudsman
PO Box 2252
Grand Cayman KY1-1107
CAYMAN ISLANDS
Email: info@ombudsman.ky
Telephone number: +1 345 946 6283
REGISTRATION
There is currently no requirement for a data controller or data processor to notify the Ombudsman of their role or complete any
registration.
DATA PROTECTION OFFICERS
There is no requirement for organizations to appoint a data protection officer under the DPA, though this may be recommended
for larger or complex organizations.
COLLECTION & PROCESSING
A data controller is responsible for compliance with a set of eight core principles which apply to the personal data that the data
controller processes. A data controller is also responsible for ensuring that the principles are complied with in relation to
personal data processed on the data controller’s behalf.
Under these principles:
Personal data must be processed fairly, lawfully and in a transparent manner;
Personal data must be obtained for specified lawful purposes and not further processed in any manner incompatible with
those purposes;
Personal data must be adequate, relevant and not excessive in relation to the purposes;
Personal data must be accurate and where necessary kept up-to-date;
Personal data must not be kept for longer than is necessary for the purposes it was collected for;
Personal data must be processed in accordance with the rights of data subjects under the DPA;
Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing of personal
data and against accidental loss or destruction of, or damage to, personal data; and
https://www.dlapiperdataprotection.com
https://ombudsman.ky/data-protection
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cayman Islands 206 | | | www.dlapiperdataprotection.com
Personal data must not be transferred to a country or territory unless that country or territory ensures an adequate level
of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
For purposes of the first principle (fair and lawful processing), personal data will not be treated as processed fairly unless the data
subject has, as soon as reasonably practicable, been provided with, at a minimum, the identity of the data controller and the
purpose for which the data are to be processed. This is usually communicated in the form of a privacy notice.
In order for the processing to be considered lawful, the processing must be justified by reference to an appropriate basis. The
legal bases (also known as lawful grounds) for processing personal data are:
The data subject has given consent to the processing (where consent must be freely given, specific, informed and
unambiguous and must be capable of being withdrawn at any time);
The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the
request of the data subject with a view to entering into a contract;
The processing is necessary for compliance with a legal obligation to which the data controller is subject;
The processing is necessary to protect the vital interests of the data subject;
The processing is necessary for the administration of justice or the exercise of a function by a public authority or
conferred under law or other function of a public nature exercised in the public interest; and
The processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party to
whom the data is disclosed, except if the processing is unwarranted by reason of prejudice to the rights and freedoms or
legitimate interests of the data subject.
Sensitive personal data
In order for the processing of sensitive personal data to be considered lawful, in addition to meeting one of the above legal bases,
one of the following conditions must be met:
The data subject has given consent to the processing (where consent must be freely given, specific, informed and
unambiguous and must be capable of being withdrawn at any time);
The processing is necessary for the purposes of exercising or performing a right or obligation conferred or imposed by
law on the data controller in connection with the data subject’s employment;
The processing is necessary to protect the vital interests (i) of the data subject or another person, in a case where
consent cannot be given by or on behalf of the data subject, or the data controller cannot reasonably be expected to
obtain the consent of the data subject; or (ii) of another person, in a case where consent by or on behalf of the data
subject has been unreasonably withheld;
The processing is carried out by a not-for-profit body in certain limited circumstances;
The information contained in the personal data has been made public as result of steps taken by the data subject;
The processing is necessary for the purposes of legal proceedings, obtaining legal advice or otherwise establishing,
exercising or defending legal rights;
The processing is necessary for the administration of justice or the exercise of a function by a public authority or
conferred under law; or
The processing is necessary for medical purposes and is undertaken by a health professional or person who owes an
equivalent duty of confidentiality.
Rights of the Data Subject
Right of access
Upon written request, a data subject is entitled to be informed by a data controller of whether their personal data are being
processed by or on behalf of the data controller and, if so, to be given a description of such personal data together with
prescribed information about how the data have been used by the data controller. A data subject is also entitled, upon written
request, to a copy of their personal data and any information available as to the source of such personal data. A data controller is
generally required to comply with such a request within 30 days.
Right to object to processing
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cayman Islands 207 | | | www.dlapiperdataprotection.com
A data subject is entitled, at any time by notice in writing, to require a data controller to cease processing, or not to begin
processing, or to cease processing for a specified purpose or in a specified manner, the data subject’s personal data. A data
controller is required to comply with such a notice as soon as practicable and in any case within 21 days, unless the processing is
necessary:
for the performance of a contract to which the data subject is a party or the taking of steps at the request of the data
subject with a view to entering into a contract;
for compliance with a legal obligation to which the data controller is subject; or
in order to protect the vital interests of the data subject.
In addition, data subjects have an unconditional right to require a data controller at any time to cease (or not to begin) processing
their personal data for the purposes of direct marketing.
Rights in relation to automated decision-making
A data subject is entitled, at any time by notice in writing, to require a data controller to ensure that no decision taken by or on
behalf of the data controller that significantly affects the data subject is based solely on the processing by automatic means of the
data subject’s personal data for the purpose of evaluating the data subject’s performance at work, creditworthiness, reliability,
conduct or any other matters relating to the data subject.
Where a decision that significantly affects a data subject is based solely on processing by automatic means, subject to certain
exceptions, the data controller is required as soon as reasonably practicable to notify the data subject that the decision was taken
on that basis, and the data subject is then entitled to require the data controller to reconsider the decision.
Right to rectification
The DPA includes an indirect right for individuals to have inaccurate personal data rectified, by making such a request to the data
controller. There is no explicit obligation for a data controller to act on such a request, however data controllers are generally
required under the principles to process data fairly and transparently and ensure that personal data is accurate and kept
up-to-date.
Any person may make a complaint to the Ombudsman about the processing of personal data and the Ombudsman may order the
data controller (among other things) to rectify, block, erase or destroy the relevant data.
TRANSFER
As set out in the eighth principle, transfers of personal data by a data controller or a data processor to countries or territories
outside the Cayman Islands are only permitted where that country or territory ensures an adequate level of protection for the
rights and freedoms of data subjects in relation to the processing of personal data. This is to ensure that the level of protection
provided by the DPA is not circumvented by transferring personal data abroad.
The Ombudsman has issued guidance stating that it considers the following countries and territories as ensuring an adequate level
of protection:
member states of the European Economic Area (that is, the European Union plus Lichtenstein, Norway and Iceland)
where Regulation EU 2016/679 (the General Data Protection Regulation or “GDPR”) is applicable; and
any country or territory in respect of which an adequacy decision has been adopted by the European Commission
pursuant to Article 45(3) GDPR or remains in force pursuant to Article 45(9) of the GDPR.
Other countries and territories may be deemed to have an adequate level of protection depending on various factors, which are
to be assessed by a data controller, or a data controller may request authorization from the Ombudsman for a transfer.
The DPA also includes the following exceptions where the eighth principle will not apply to a transfer:
if the data subject has consented to the transfer (where consent must be freely given, specific, informed and unambiguous
and must be capable of being withdrawn at any time);
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cayman Islands 208 | | | www.dlapiperdataprotection.com
where the transfer is necessary for the performance of a contract between the data subject and the data controller, or
the taking of steps at the request of the data subject with a view to the data subject’s entering into a contract with the
data controller;
the transfer is necessary for the conclusion of a contract between the data controller and a person other than the data
subject, being a contract that is entered into at the request of the data subject, or is in the interests of the data subject, or
for the performance of such a contract;
the transfer is necessary for reasons of substantial public interest;
the transfer is necessary for the purposes of legal proceedings, obtaining legal advice or otherwise establishing, exercising
or defending legal rights;
the transfer is necessary in order to protect the vital interests of the data subject;
the transfer is part of the personal data on a public register and any conditions subject to which the register is open to
inspection are complied with by a person to whom the data are or may be disclosed after the transfer; or
the transfer is required under international cooperation arrangements between intelligence agencies or between
regulatory agencies to combat organized crime, terrorism or drug trafficking or to carry out other cooperative functions,
to the extent permitted or required under Cayman Islands law or an order of the Grand Court of the Cayman Islands.
SECURITY
The DPA is not prescriptive about specific technical standards or measures that must be taken to protect personal data. Rather,
the DPA adopts a context-specific approach, requiring that appropriate technical and organization measures be taken, appropriate
to the risks presented by the processing. A data controller should take into account the state of the art, costs of implementation,
as well as the nature, scope, context and purpose of their processing.
Aspects to consider include:
organizational measures, e.g. staff training and policy development;
technical measures, e.g. physical protection of data, pseudonymization, encryption; and
securing ongoing availability, integrity and accessibility, e.g. by ensuring backups.
BREACH NOTIFICATION
The DPA contains a general requirement for a personal data breach to be notified by the data controller to the Ombudsman and
the relevant data subject(s). A personal data breach is a wide concept, defined as ‘a breach of security leading to the accidental or
‘.unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
The data controller must notify a breach to the relevant data subject(s) and the Ombudsman without undue delay, and in any case
no longer than five days after the data controller should, with the exercise of reasonable diligence, have been aware of the breach.
The same rules apply where a breach occurs at the level of a data processor. Accordingly, data controllers should contractually
require their data processors to notify the data controller of a breach in a timely manner.
The notification must describe the nature of the breach, the consequences of the breach, the measures proposed to be taken by
the data controller to address the breach and the measures recommended by the data controller to the relevant data subject(s) to
mitigate the possible adverse effects of the breach.
ENFORCEMENT
A breach of the DPA constitutes a criminal offence, punishable on conviction to a fine of up to CI$100,000 (approx. US$125,000),
imprisonment for a term of up to 5 years, or both.
In addition, the DPA empowers the Ombudsman to issue monetary penalty orders of up to CI$250,000 (approx. US$300,000)
where the Ombudsman is satisfied on a balance of probabilities that there has been a serious contravention of the law by a data
controller and the contravention was of a kind likely to cause substantial damage or substantial distress to a data subject.
Investigative and corrective powers
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cayman Islands 209 | | | www.dlapiperdataprotection.com
The Ombudsman is given wide investigative and corrective powers under the DPA, including to require the provision of
information and to issue orders to carry out specific remediation activities.
Right to claim compensation
The DPA specifically provides for individuals to bring private claims against data controllers: any person who suffers damage by
reason of a contravention by a data controller of any requirement of the DPA has a cause of action for compensation from the
data controller for that damage.
Personal liability
The DPA explicitly provides for personal liability for offences committed by a body corporate where the offence is proven to have
been committed with the consent or connivance of, or to be attributable to any neglect on the part of, any director, secretary or
similar officer or any person purporting to act in such capacity. Where the affairs of a body corporate are managed by its
members, this personal liability also applies to the acts and defaults of a member in connection with the member’s functions of
management.
ELECTRONIC MARKETING
The DPA applies to most electronic marketing activities as these will involve some use of personal data (e.g., an email address
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent or the legitimate
interests of the data controller. Where consent is relied upon, the strict standards for consent under the DPA are to be noted,
and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an
unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied
from conduct, such as visiting a website).
Data subjects have an unconditional right to require a data controller at any time to cease (or not to begin) processing their
personal data for the purposes of direct marketing (which includes direct electronic marketing).
ONLINE PRIVACY
There are no specific restrictions addressing online privacy beyond those general applicable to the processing of personal data
under the DPA. Personal data explicitly includes online identifiers.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cayman Islands 210 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Carey Olsen
www.careyolsen.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Nick Bullmore
Partner
T +1 345 749 2000
nick.bullmore@careyolsen.com
Graham Stoute
Counsel
Carey Olsen
T +1 345 749 2014
graham.stoute@careyolsen.com
Jenna Willis
Associate
Carey Olsen
T +1 345 749 2053
jenna.willis@careyolsen.com
https://www.dlapiperdataprotection.com
http://www.careyolsen.com
https://www.dlapiperdataprotection.com/scorebox/
https://www.careyolsen.com/
https://www.dlapiperdataprotection.comwww.careyolsen.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Chad 211 | | | www.dlapiperdataprotection.com
CHAD
Last modified 15 January 2022
LAW
The data protection regime in Chad is mainly governed by the following laws and regulations:
Act No. 007/PR/2015 of February 10, 2015, on Personal Data protection (‘ ’)The Act
Decree No. 075/PR/2019 of January 21, 2019 implementing the provisions of application of the Act N°007/PR/2015 of
February 10, 2015 on the protection of personal data
Act No. 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic Certification
Act No. 008/PR/2015 on electronic transactions
Act No. 001/PR/2017 on the Criminal Code
DEFINITIONS
Definition of Personal Data
Personal data: Any information relating to a natural person, identified or identifiable directly or indirectly, by reference to an
identification number or to one or more elements specific to his or her physical, physiological, genetic, psychological, cultural,
social, and economic identity. (Article 5 of the Act)
Definition of Sensitive Personal Data
Sensitive data: Data relating to religious, philosophical, political, trade union opinions or activities, sex or racial life, health, social
measures, prosecutions, and criminal or administrative charges. (Article 5 of the Act)
NATIONAL DATA PROTECTION AUTHORITY
The National Data Protection Authority is the (‘ ‘). Agence Nationale de Sécurité Informatique et de Certification Électronique ANSICE
ANSICE is responsible for ensuring compliance, on the national territory, with the provisions of the Act. As such, it has the power
to sanction any violation of the Act.
ANSICE main duties include:
informing the data holders and the data controllers of their rights and obligations;
receiving the formalities prior to the creation of processing of personal data;
receiving complaints, petitions and claims relating to the implementation of the processing of personal data and informs
their authors of the follow-up given to them;
informing the judicial authorities without delay of the offences of which it has knowledge;
entitling its members or agents with the task of carrying out verifications relating to any processing and, where
appropriate, obtaining copies of any document or information medium useful for its mission;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Chad 212 | | | www.dlapiperdataprotection.com
1.
2.
3.
4.
5.
imposing a sanction on a data controller;
keeping a directory of personal data processing at the disposal of the public;
authorizing, under the conditions provided for in the Act, the transborder transfer of personal data.
(Article 6 of the Act Act No. 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic
Certification)
REGISTRATION
The is no country-wide system of registration in Chad. However, the processing of personal data may be subject to prior
notification to, or authorization/Prior approval from the CDP.
Regime of authorisation
The authorisation of the ANSICE is required for the processing of any personal data relating to:
genetic, biometric data, and research in the health field;
offenses, convictions, or security measures;
interconnection of files;
national identification number or any other identifier of the same nature; or
public interest in particular for historical, statistical, or scientific purposes.
The regime of declaration
Apart from the data provided for by the authorisation regime, any processing of personal data must be declared in a written form
and addressed to ANSICE.
Notice/Opinion regime (“Avis”)
The automated processing of personal information carried out on behalf of the State, a public institution or a local authority or a
legal person under private law managing a public service are decided by regulatory act taken after a reasoned opinion from the
ANSICE. Such processing relates to:
State security, defense or public safety;
the prevention, investigation, recording or prosecution of criminal offences or the execution of criminal sentences or
security measures;
the population census;
personal data that reveal, directly or indirectly, the racial, ethnic or regional origins, parentage, political, philosophical or
religious opinions or trade union membership of persons, or that relate to the health or sexual life of persons when they
are not covered by provisions related to interconnexion of data;
the processing of salaries, pensions, taxes, and other settlements.
(Articles 51, 52 and 53 of the Act)
DATA PROTECTION OFFICERS
There are no specific provisions relating to the appointment of a Data Protection Officers (‘ ’) under the Act. This issue is leftDPO
at the exclusive discretion of the data controllers.
COLLECTION & PROCESSING
Data collection and processing are subject to the following principles and requirements:
The collection, recording, processing, storage, and transmission of personal data must be lawful, fair, and not fraudulent;
Data must be collected for specified, explicit, and legitimate purposes;
Data must be relevant and not excessive in relation to the purposes for which they are collected and further processed;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Chad 213 | | | www.dlapiperdataprotection.com
Data must be kept for a period not exceeding the period necessary for the purposes for which they were
collected/processed;
The data collected must be accurate and, if necessary, updated whenever necessary;
Data controller must inform the data subject of any personal data processing operation that involves personal data; and
Personal data must be treated confidentially and protected.
The Data holders/subjects have rights to:
To be informed: Pursuant to Article 35 and seq. of the Act, the data controller must inform the data subject of:
the identity of the data controller and its representative (if any);
the purposes of the processing;
the category of data concerned;
the recipients or categories of recipients of the data;
the right to object to the collection of such data;
the right to access the collected data and have it edited;
the duration of the processing; and
details on any intended transfer of the data.
To access: Pursuant to Article 38 of the Act, data subjects have a right of access and they can obtain the following from
the data controller:
information allowing for data subjects to be aware of and the possibly to contest the processing;
confirmation of whether his/her personal data forms part of the processing;
copy of his/her personal data as well as any available information on the origin of the data; and
information relating to the purposes of the processing, categories of data processed, recipients, or categories of
recipients, to whom the data are disclosed, and information relating to the transfer of personal data outside the
country.
To rectification: In light of the provisions of Article 48 of the Act, any data subjects may require that the data controller
rectifies their personal data if it is inaccurate, incomplete, unclear, or expired, or if the collection, usage, disclosure, or
retention of the data is prohibited.
To erasure: In light of the provisions of Article 48 of the Act, any data subjects may require that the data controller
deletes their personal data if it is inaccurate, incomplete, unclear, or expired, or if the collection, usage, disclosure, or
retention of the data is prohibited.
Right to object/opt-out: Pursuant to Article 45 of the Act, any data subject has the right to object, with legitimate
reasons, to the processing of his/her personal data. The data subject also has the right to be informed before his/her
personal data is communicated or used by a third party and also to object the communication or the use of the personal
data.
TRANSFER
In light of Article 29 of the Act, the data controller cannot transfer personal data to another foreign country non-member of the
CEMAC/CEAC unless that country provides a sufficient level of protection for the privacy, fundamental rights, and freedoms of
individuals.
Moreover, prior to any transfer of personal data abroad, the data controller must first inform the regulatory authority, ANSICE.
CEMAC is the French acronym of Economic and Monetary Community of Central Africa. CEEAC is the French acronym of the
Economic Community of Central Africa States.
A transfer to a non CEMAC/CEEAC country not offering a sufficient level of protection is possible if:
the Data Subject agrees to the transfer;
the transfer protects the life of the Data Subjects/Holders;
the transfer Protect the public interest;
the transfer is necessary to the performance of an agreement between the Data Subject and the Data Processor or take
precontractual measures upon the request of the Data Subject;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Chad 214 | | | www.dlapiperdataprotection.com
If the transfer intervenes from a public register which, according to law and regulations, is focused on the public
information and open to the public consultation.
The ANSICE may allow the Data controller to transfer data to a foreign country non-member of CEMAC/CEEAC if the Data
controller provides sufficient protection for the Data Subject’s private life, liberties, and fundamental rights.
(Articles 30-33 of the Act)
SECURITY
Data Controllers are required to ensure the security of personal data. They must prevent the data’s alteration and damage, or
access by non-authorised third parties. In this regard, Data Controllers should make sure that:
Persons with access to the system can only access the data that they are allowed to access;
The identity and interest of any third-party recipients of the data can be verified;
The identity of persons who have access to the system (to view or add data) can be verified;
Unauthorised persons cannot access the place and equipment used for the data processing;
Unauthorised persons cannot read, copy, modify, destroy, or move data;
All data entered onto the system are authorised;
The data will not be read, copied, amended, or deleted without authorisation during the transport or communication of
the data.
The data are backed up with security copies;
The data are renewed and converted to preserve them.
(Article 60 of the Act)
BREACH NOTIFICATION
Breach of the provisions of Personal Data Act including breach notification is subject to following administrative sanctions by the
ANSICE:
a warning to the data controller who does not comply with the obligations arising from the Law;
a formal notice to put an end to the breaches concerned within the time limit which it fixes;
penalties in accordance with the observed shortcomings;
interruption of treatment for a maximum of three years;
blocking for a maximum of three months of certain processed personal data; or
temporary or permanent prohibition of processing contrary to the provisions of the Act.
(Article 8 Article 8 of Act No. 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic
Certification)
In addition, a judge can take the following sanctions in case of breach notification:
Imprisonment from between 1-5 years;
Fines between XAF 1 million to XAF 10 million.
(Article 438 of the Criminal Code)
Mandatory breach notification
No mandatory breach notification protocol is provided under Chadian law.
ENFORCEMENT
The ANSICE have enforcement powers including:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Chad 215 | | | www.dlapiperdataprotection.com
Investigative powers: The ANSICE can conduct investigation to discover facts and evidences of the violation of the Act.
Administrative fines for infringements of the Data Protection Act
Non-compliance with the ANSICE instructions/decisions can lead to the following sanctions:
a warning;
an injunction to put an end to defaults within the time limit set by the ANSICE; or
a provisional withdrawal of the authorisation granted for a period of three months at the expiry of which the
withdrawal becomes final.
In case of urgency, the ANSICE can:
interrupt a processing for a duration that cannot exceed three months.
lock certain kinds of data for a duration that cannot exceed three months; or
rohibit, provisionally or definitively, data processing that does not comply with the Act.
Additionally, the Act has the power to issue a temporary or permanent ban. The ban does not require a court order.
(Article 8 of Act No. 006/PR/2015 on the creation of the National Agency for Computer Security and Electronic Certification and
Article 81 of the Act)
ELECTRONIC MARKETING
Sending of marketing communications is forbidden on principle unless the recipient agrees to it.
Also, there are specific cases under which prior approval is not required:
the recipient’s information was collected directly from him, in accordance with the provisions of the Act;
the recipient is already a customer of the company, the marketing messages relate to products or services that are similar
to those previously provided, and the recipient is given the possibility of objecting to all messages sent to him;
if it clearly explained to the Data subjects where their data is collected that they have right to object, free of charge, to
the processing of their Personal Data for electronic marketing;
when the electronic marketing concerns the data of legal personals which are not constitute personal data.
(Article 49 of Act No. 008/PR/2015 on electronic transactions)
Breach of the provisions of Personal Data Act including breach of electronic marketing provisions are subject to following
administrative sanctions by ANSICE:
a warning to the data controller who does not comply with the obligations arising from the Law;
a formal notice to put an end to the breaches concerned within the time limit which it fixes;
penalties in accordance with the observed shortcomings;
interruption of treatment for a maximum of three years;
blocking for a maximum of three months of certain processed personal data; or
temporary or permanent prohibition of processing contrary to the provisions of the Act.
In addition, a judge can take the following sanctions in case of violation of provisions of Act No. 008/PR/2015 on electronic
transactions including on its provisions relating to electronic marketing:
imprisonment from between 1-10 years;
and fines between XAF 1 million to XAF 5 million.
(Article 168 of Act No. 008/PR/2015 on electronic transactions)
ONLINE PRIVACY
There is no specific restriction on the use of cookies under the Act. However, the ANSICE requires that the Data Subject is
informed of the use of cookies and to collect his consent.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Chad 216 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Geni & Kebe
www.dlapiperafrica.com/senegal
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Mouhamed Kebe
Partner
Geni & Kebe
T +221 76 223 63 30
mhkebe@gsklaw.sn
Mahamat Atteib
Associate
Geni & Kebe
T +221 77 737 41 74
m.atteib@gsklaw.sn
https://www.dlapiperdataprotection.com
https://www.dlapiperafrica.com/senegal
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Chile 217 | | | www.dlapiperdataprotection.com
CHILE
Last modified 24 January 2022
LAW
Personal Data Protection is regulated in different laws.
Constitution of the Republic of Chile, Art. 19 N° 4
The Chilean constitution establishes the individual’s right to (i) respect and protection of private life, (ii) honor of the person and
his/her family, and (iii) protection of his/her personal data. Any individual who, as a result of an arbitrary or illegal act or omission,
suffers a “privation, disturbance or threat” to these rights may file a Constitutional Protective Action (“ ”).Recurso de protección
Law 19,628/1999 ‘On the protection of private life’, commonly referred to as ‘Personal Data
Protection Law’ (hereinafter, the ‘PDPL’)
The PDPL generally defines and regulates the processing of personal data in public and private databases and is thus the primary
body of rules on the processing of personal data not governed by sectoral provisions (for example contained in the laws
mentioned below).
Generally, the PDPL stipulates that personal data may only be processed if the processing is (i) permitted by law ( , labor law,eg
health care law, etc.) or (ii) based on the data subject’s prior informed, written consent. There are only a few narrow exceptions
to this principle ( , certain publicly accessible data, or purely internal data processing for certain purposes). In addition, the PDPLeg
contains special regulations on the processing of personal data relating to economic, banking, and financial obligations.
The PDPL law also provides data subjects the right to access, rectify, delete, block and object to processing of personal data in
certain cases.
Decree with Force of Law N° 3/19978, ‘General Law of Banks’
Article 154 of this law establishes the confidentiality of an individual’s transactions with and through banks. The law distinguishes
transactions covered by secrecy, which in principle are subject to an absolute prohibition of disclosure, and transactions covered
by reserve, which may only be disclosed where a legitimate interest exists and if it cannot be foreseen that the knowledge of the
disclosed data may cause financial damage to the customer.
Law 20,575/2012 establishing the ‘purpose principle’ for the processing of personal data of an
economic, financial, banking or commercial nature
This law establishes several rules that apply to the processing of personal data referring to financial, economic, banking or
commercial information, such as:
Limited disclosures: Such data shall only be communicated to established commercial entities for the purpose of a
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Chile 218 | | | www.dlapiperdataprotection.com
commercial risk assessment in a credit granting process, and to entities that take part in this evaluation.
Prohibition of requesting such type of data in the context of processes for personnel selection, pre-school, school or
higher education admission, emergency medical care or application for public office.
Providers of economic, financial, banking or commercial databases must have a system for recording the name of any
person requesting database information, the reason, date and time of the request and the person responsible for
delivering or transferring the information. Data subjects have the right to request access to their commercial information
every four months and free of charge.
Providers of the database must implement the principles of legitimacy, access and objection, data quality, purpose,
proportionality, transparency, non-discrimination, use limitation and security in personal data processing, and designate a
contact person for data subjects.
Law 19,223/1993 regulating certain computer crimes
This law establishes criminal sanctions for certain specific conduct related to the theft, destruction, obstruction, modification and
illegal access and disclosure of information contained in data processing systems. It does not, however, refer specifically to
personal data.
Law 20,584/2012 regulating the rights and duties of individuals in the context of healthcare
This law sets forth that all information contained in patient files or documentations of medical treatments are sensitive data, and
establishes the obligation of healthcare professionals to maintain patient data confidential and to comply with the principle of
purpose limitation. This law also includes certain specific cases in which such data can be submitted, partially or totally, to the data
subject and to other individuals or entities.
Bill regulating the protection and processing of personal data and creating the Agency for the
Protection of Personal Data (Bulletin 11,144-07, consolidated with Bulletin 11,092-07)
This draft law aims to modernize the PDPL and adapt it to international standards. The most important stipulations are:
the introduction of further legal bases for the processing of personal data in addition to consent (such as performance of a
contract and legitimate interest), and additional requirements for processing sensitive data, depending on the category of
data concerned.
various basic principles, such as lawfulness, purpose limitation, proportionality, data quality, accountability, security,
transparency and information, and confidentiality.
regulations on international data transfers.
information requirements.
special obligations when using data processors.
provisions on data protection by design and default and security measures.
reporting obligations in the event of data breaches.
introduction of the right to portability.
the creation of a data protection authority with the competence to impose administrative fines.
The bill has been under debate for some time but is currently still in the first constitutional stage in the senate. There is currently
no indication when it may pass.
DEFINITIONS
Definition of personal data
The PDPL defines as any information concerning identified or identifiable natural persons. personal data
Definition of sensitive data
Sensitive data are defined very broadly as personal data relating to the physical or moral characteristics of persons or to facts or
circumstances of their private or intimate life, such as personal habits, racial origin, ideologies or political opinions, religious beliefs
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Chile 219 | | | www.dlapiperdataprotection.com
or convictions, physical or mental health conditions, and sexual life.
Definition of controller and data processing
The PDLP defines the (‘responsible for the register or database’) as the private individual or legal entity, or thecontroller
respective public body, which is responsible for decisions related to the processing of personal data.
Data processing is defined as any operation or complex of operations or technical procedures, of automated or non-automated
nature, that allow to collect, store, record, organize, elaborate, select, extract, confront, interconnect, dissociate, communicate,
assign, transfer, transmit or cancel personal data, or use them in any other way.
NATIONAL DATA PROTECTION AUTHORITY
In Chile, there is no special authority dedicated to overseeing matters related to data protection concerning processing activities
performed by private persons or entities exists. Law 20,285/2008 on access to public information provides that the Transparency
Council ( , the control body to ensure compliance with the aforementioned law which provides theConsejo para la Transparencia
rights to transparency and access to information of the state administration) shall ensure proper compliance with the data
protection law by the organs of the state administration; however, the Transparency Council does not have powers to impose
fines.
Since December 24, 2021, due to a provision in the newly adopted so-called Pro-Consumer Law (Law 21,398/2021), the
consumer protection agency SERNAC has the competency to monitor compliance with the provisions of the data protection law
in consumer matters. The SERNAC cannot impose fines but may initiate and participate in judicial proceedings and collective
voluntary proceedings. This is the first time that private controllers’ processing of (consumer) personal data has been subject to
regulatory control.
A special data protection authority is to be created by the above-mentioned legislative project (Bill that regulates the protection
and processing of personal data and creates the Agency for the Protection of Personal Data (Bulletin 11,144-07, consolidated with
Bulletin 11,092-07). However, as noted, there is no clear timeline for when to expect this bill to pass.
REGISTRATION
Public databases must be registered in the Civil Registry and Identification Service ( ). There isServicio de Registro Civil e Identificación
no obligation to register private databases.
DATA PROTECTION OFFICERS
The PDPL does not require the appointment of a Data Protection Officer.
COLLECTION & PROCESSING
According to the PDPL, personal data may be processed in the following cases:
With informed, prior and written consent given by the data subject
If authorized by legal provisions
If the personal data comes from publicly accessible sources, and the data:
are of financial, banking or commercial nature, or
are contained in lists related to a category of persons that merely indicate background information such as the
individuals´ membership in that category, his/her profession or activity, educational qualifications, address or date
of birth, or
are required for direct response commercial communications or direct marketing or sale of goods or services
Furthermore, personal data may be processed without the data subject’s consent if they are processed by private entities
for their exclusive use, or that of their associated or affiliated entities use, for statistical, pricing or other purposes of
general benefit to them. In practice, this exception is not of significant importance.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Chile 220 | | | www.dlapiperdataprotection.com
TRANSFER
Transfer of personal data is considered a processing activity, so all of the aforementioned rules are applicable, including the
requirement to rely on a legal basis (usually consent). The PDPL does not provide or require any special provisions for the
international transfer of personal data.
SECURITY
The PDPL does not establish specific measures that need to be adopted for the security of the personal data processed. It only
stipulates that the controller is required to take care of the data with due diligence, being liable in case of damages.
All individuals involved in the processing of personal data (other than from publicly accessible sources) have to comply with
confidentiality obligations, even after they end their work in this field.
BREACH NOTIFICATION
There is no obligation to report a data breach.
ENFORCEMENT
Since there is no special data protection authority in Chile, data protection violations must be challenged with a Constitutional
Protective Action obased on an alleged violation of the constitutionally guaranteed right to protection of personal data, or with an
action before the ordinary civil courts. In addition, the PDPL provides for a special type of action in the event that a controller fails
to respond in a timely manner to a request to assert data subject rights (‘ ).Habeas Data’
With the entry into force of the Pro-Consumer Law (see in the section on Authority), and the competency thereby granted to the
consumer protection agency SERNAC, consumers can lodge complaints alleging the violation of the data protection law to this
authority. The SERNAC cannot impose fines, but may initiate and participate in judicial proceedings and collective voluntary
proceedings.
ELECTRONIC MARKETING
Private entities are allowed to create and maintain databases for purposes of sending marketing and promotional emails, provided
that the requirements mentioned in the ‘Collection and Processing’ section have been fulfilled.
However, any person may require that his/her information be deleted for such purposes, either permanently or temporarily.
The Chilean Consumer Protection Act (Law 19,496/1997 on the protection of consumer rights) defines ‘advertising’ as the
communication that the provider of goods or services send to the public by any means, in order to inform and motivate the
purchase goods or services. It also indicates that all promotional or advertising communication must indicate an expeditious way in
which the recipients can request the suspension of the promotional communication (opt-out). After a consumer has exercised his
opt out right, the sending of new communications is prohibited. In case of promotional or advertising communication sent by
e-mail, the communication must also indicate the subject matter or theme and the identity of the sender.
ONLINE PRIVACY
There are no specific laws governing online privacy or cookies.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Chile 221 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Albagli Zaliasnik
www.az.cl/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Felipe Bahamondez
Partner
DLA Piper (Chile)
T +56 2 2798 2602
fbahamondez@dlapiper.cl
Lisa Hondl
Associate
DLA Piper (Chile)
T +56 2 2798 2620
lhondl@dlapiper.cl
https://www.dlapiperdataprotection.com
http://www.az.cl/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World China 222 | | | www.dlapiperdataprotection.com
CHINA
Last modified 27 January 2022
LAW
There is not a single comprehensive data protection law in the People’s Republic of China (PRC). Instead, rules relating to
personal information protection and data security are part of a complex framework and are found across various laws and
regulations. That said, the three main pillars of the personal information protection framework in the PRC are the Personal
Information Protection Law (PIPL), the Cybersecurity Law (CSL), and the Data Security Law (DSL).
On June 1, 2017, the CSL came into effect and became the first national-level law to address cybersecurity and data privacy
protection. The DSL came into force on September 1, 2021, and focuses on data security across a broad category of data (not just
personal information). Most significantly, the PIPL came into effect on November 1, 2021. The PIPL is the first comprehensive,
national-level personal information protection law in the PRC. The PIPL does not replace – but instead enhances and clarifies –
earlier personal information laws and regulations.
In addition to the PIPL, CSL and DSL, the following form the backbone of general personal information protection framework
currently in the PRC:
The Decision on Strengthening Online Information Protection, effective from December 28, 2012 (Decision);
National Standard of Information Security Technology – Guideline for Personal Information Protection within Information
System for Public and Commercial Services, effective from February 1, 2013;
The Draft Regulation of Network Data Security Management, published for consultation in November, 2021; and
The Draft Measures for Security Assessment of Cross-border Data Transfer, published for consultation in October, 2021.
In the past five years, there has also been an abundance of implementing regulations and guidelines (herein referred to as
Guidelines) proposed, issued or revised to flesh out the essentials and concepts introduced under the personal information
protection framework. These include, non-exhaustively:
National Standard of Information Security Technology – Personal Information Security Specification (PIS Specification), as
amended and effective from October 1, 2020;
Guidelines on Internet Personal Information Security Protection, effective from April 19, 2019; and
National Standard of Information Security Technology – Guidelines on Personal Information Security Impact Assessment,
effective from June 1, 2021.
The Decision has the same legal effect as law, and its purpose is to protect online information security, safeguard the lawful rights
and interests of citizens, legal entities or other organizations, and ensure national security and public interests. While the PIS
Specification and other Guidelines are only technical guides (covering in detail key issues such as data transfers, sensitive personal
information and data subject rights), and thus not legally binding, they have historically been highly persuasive. Given the recent
promulgation of the PIPL, the PIPL will now take precedence over the PIS Specification and other Guidelines. Nonetheless, the PIS
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World China 223 | | | www.dlapiperdataprotection.com
Specification and the Guidelines are still useful for the purposes of supplementing legislation, especially on any part that has not
been addressed by the PIPL, CSL or DSL. In addition to all of the above:
provisions found in laws such as the General Principles of Civil Law and the Tort Liability Law have generally been used to
interpret data protection rights as a or . However, such interpretation is not explicit. right of reputation right of privacy
Further, the PRC Civil Code, effective on January 1, 2021 also further reinforces the statutory right of privacy for
individuals and establishes data protection principles; and
provisions contained in other laws and regulations may also apply depending on the industry or type of information
involved (for example, personal information obtained by financial institutions and e-commerce businesses, personal
information collected by telecom or Internet service / content providers, healthcare and genetic information, etc.).
Applicability of other laws or regulations (including provincial level laws), such as the PRC Criminal Law, PRC
E-Commerce Law, PRC Consumer Rights Protection Law and the new data law in Shenzhen, will invariably depend on the
factual context of each case and further independent analysis is recommended.
Given the personal information protection framework is still evolving, and further regulations accompanying the new PIPL and DSL
are anticipated to be published in the coming months, it is recommended that organizations continue to monitor the
developments of the PRC data protection regulatory framework.
Extra-territorial scope
The PIPL has extra-territorial effect, and applies both to:
data processing activities within the PRC; and
processing of PRC residents’ data outside of PRC where:
for the purposes of providing products or services to PRC residents;
for analytics or evaluation of behavior of PRC residents; or
for any other reasons as required by law or regulations.
The PIPL applies to both the public and private sectors.
DEFINITIONS
Definition of personal data
The PIPL defines personal data as any kind of information relating to an identified or identifiable natural person, either
electronically or otherwise recorded, but excluding information that has been anonymized.
Definition of sensitive personal data
The PIPL defines sensitive personal data as information that, once leaked or illegally used, will easily lead to infringement of human
dignity or harm to the personal or property safety of a natural person, including (but not limited to): (i) biometric data; (ii) religion;
(iii) specific social status; (iv) medical health information; (v) financial accounts; (vi) tracking/location information; and (vii) minors
data.
NATIONAL DATA PROTECTION AUTHORITY
The PIPL has now clarified that the Cyberspace Administration of China (CAC) is primarily responsible for the overall planning
and coordination of personal information protection and related supervision. Prior to the PIPL coming into force, various other
legislative and administrative authorities have also claimed jurisdiction over data protection matters, and may continue to play
some form of role in the context of personal information protection, such as:
National People’s Congress Standing Committee
Ministry of Public Security
Ministry of Industry and Information Technology
State Administration for Market Regulation
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World China 224 | | | www.dlapiperdataprotection.com
Ministry of Science and Technology
It is also anticipated that the local Public Security Bureau branches and industry regulators will still have a role in both management
and enforcement of data protection; and the TC260 technical committee will continue to have delegated responsibility to publish
technical standards.
Notwithstanding the CAC’s newly-clarified role, sector-specific regulators, such as the People’s Bank of China or the China
Banking and Insurance Regulatory Commission, may also monitor and enforce data protection issues of regulated institutions
within their sector.
REGISTRATION
Generally, there is no legal requirement in the PRC for data users to register with the data protection authority.
That said, there are specific registration requirements imposed on the sharing and transferring of specific categories of data (e.g.
human genetic resources), and proposed filling requirements for security impact assessments (see ). Cross Border Transfers
DATA PROTECTION OFFICERS
Under the PIPL, organisations which meet certain data processing volume thresholds (as yet unspecified by the CAC) are required
to appoint a Data Protection Officer (DPO), and to register the name(s) and contact details of the responsible person with the
relevant data protection authority.
For organisations based outside of the PRC, but processing PRC personal information, a specific representative or organisation
within the PRC should be appointed, and details reported to the data protection authority.
Details of how and when the DPO or representative (as the case may be) should be registered is awaited.
Whilst the authorities have yet to announce the volume threshold for DPO requirements applicable under the PIPL, the PIS
Specification requires an organization to appoint a data protection officer and a data protection department if the organization:
has more than 200 employees and its main business line involves data processing;
processes personal information of more than 1,000,000 individuals, or is estimated to process personal information of
more than 1,000,000 individuals; or
processes sensitive personal information of more than 100,000 individuals.
COLLECTION & PROCESSING
Consent
In general, express, informed consent is required from the data subject before personal information can be collected, used,
transferred or otherwise processed. In certain circumstances, such as collecting or processing sensitive personal information,
overseas data transfers and direct marketing, explicit consent (i.e. consent specific to the processing activity / transfer (rather than
just general consent to the privacy notice, expressed through an affirmative action) is required from the data subject. Collection
from individuals under 14 years old is prohibited unless explicit consent is obtained from their legal guardians. As a matter of best
practice, explicit consent is recommended.
In addition, the PIPL has introduced a new requirement for separate consent to be obtained for:
processing sensitive personal information;
overseas transfers;
public disclosure of personal information;
to provide data to another data controller for processing; and
use of image or identification data collected in public through image or identification device for purposes other than
maintaining public security.
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/china/transfer.html#cross-border
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World China 225 | | | www.dlapiperdataprotection.com
Whilst there is no clear definition of what “separate consent” constitutes in practice, it appears to suggest that organisations
should avoid bundled or forced consent.
The PIPL also introduced limited circumstances (i.e. lawful bases) in which personal information can be processed without consent,
including:
entering into or fulfilling a contract where the data subject is a named party;
carrying out human resources management under an employment policy legally established or a collective contract legally
concluded;
fulfilling legal obligations (which may be helpful in the context of regulatory investigations);
in response to public health incidents;
for public security and public interest reasons; and
as required by law (e.g. where required to disclose information under another PRC law).
However, in practice, it is unclear how these lawful bases could be relied upon. Consent remains the primary basis for lawful data
processing, and it is anticipated this will continue in practice.
Notice
In addition to obtaining consent, a data controller (i.e. the organization who has the authority to determine the purposes, means
or method of processing) should provide data subjects with a privacy policy or other form of notice, informing them of the scope
and ways in which their personal information is collected, processed and disclosed, including the following information:
the identity of the data controller, including its registered name, registered address, principal office, a telephone number
and / or an e-mail address;
a list of personal information collected for each business purpose. Where sensitive personal information is involved,
relevant consent shall be explicitly marked or highlighted;
the location of storage, retention period, means of use / processing and scope of the personal information collected;
the purposes sought by the data controller, i.e. what the data controller uses the data for (for instance, supplying goods
and services, creating a user account, processing payments, managing subscriptions to the newsletters, etc.). These should
be as comprehensive as possible, as additional purposes will require new consent;
circumstances under which the data controller will transfer, share, assign personal information to third parties (including
intra-group entities) or publicly disclose personal information, the types of personal information involved in these
circumstances, the types of third party data recipients, and the respective security and legal responsibilities of the entities;
the rights of data subjects and mechanisms for them to exercise such rights, e.g. methods to access, rectify or delete their
personal information, to de-register their accounts, withdraw their consent, obtain copies of their personal information
and restrict automated decision by the data system etc.;
potential risks for providing personal information, as well as possible consequences for not providing the data;
data security capabilities of, and data security protection measures to be adopted by, the data controller and, when
necessary, the compliance certificates related to data security and personal information protection; and
channels and procedures for making inquiries and lodging complaints by data subjects, as well as external dispute
settlement body and contact information.
The information in the privacy policy must be true, accurate and complete. The contents of the privacy policy must be clear and
easy to understand, and ambiguous language should be avoided. The privacy policy should be made available to the data subject
when collecting consent, and published publicly and easily accessible, for example, through a link placed prominently on a webpage
or an installation page of a mobile application. When changes occur to the information provided in the privacy policy, the data
subjects should be notified of such changes and (depending on the extent of changes made) further consent may need to be
obtained.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World China 226 | | | www.dlapiperdataprotection.com
Processing
Collection and processing of personal information must be directly related to the purpose of processing specified in the privacy
notice.
Excessive data collection must be avoided. Interestingly the provisions of the PIPL around data minimization appear to be targeted
at apps and big data analytics. Additional restrictions are placed on use of biometric data collected in public places.
There are prohibitions on illegal collection, use, processing, sale, disclosure and transfer of personal information.
Impact assessment and record-keeping
The PIPL requires data controllers to undertake personal information impact assessments (PIIA) and to retain the results and
processing records (for three years) in the following circumstances:
processing of sensitive personal information;
using personal information to conduct automated decision-making;
appointing a data processor;
providing personal information to any third party (likely to include sharing with group companies);
public disclosure of personal information;
overseas data transfer of personal information; and
any other processing activities that may have “significant impact to an individual”.
A PIIA should include an assessment on:
whether the purpose of use and means of processing is legitimate, proper and necessary;
impacts and risks to individual’s interests; and
applicability of protection measures and risk appetite.
The “Guidance for Personal Information Security Impact Assessment” (PIIA Guidelines) (published by the National Standardization
Technical Committee for Information Security) came into force on June 1, 2021.
TRANSFER
If a data controller wishes to share, disclose or otherwise transfer an individual’s personal information to a third party (including
group companies), the data controller must:
inform the data subject of the purposes of the sharing, disclosure or transfer of the personal information and the types of
data recipient, and obtain prior express consent from the data subject;
perform a personal information impact assessment (PIIA), and take effective measures to protect the data subjects
according to the assessment results (e.g. putting in place a data transfer agreement or similar contractual protections)
(see );Collection & Processing
record accurately and keep the information in relation to the sharing, disclosure or transfer of the personal information,
including the date, scale, purpose and basic information of the data recipient of the sharing or assigning;
ensure personal information is only transferred where required for processing purposes;
not share or transfer any personal biometric information or other types of particularly sensitive personal information
where prohibited under relevant laws or regulations; and
ensure contractual measures are entered into to require the data processor to comply or assist the data controller in
complying with obligations under data protection laws.
Cross-border transfers
The PIPL provided helpful clarification (after years of uncertainty) on the issue of cross-border data transfers and data localization
in the PRC. In short, most personal information can be transferred or accessed outside of the PRC providing the following
compliance steps are taken:
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/china/collection-and-processing.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World China 227 | | | www.dlapiperdataprotection.com
one of the following criteria is fulfilled:
the organisation has passed a CAC security evaluation;
the organisation has obtained certification from a CAC-accredited agency;
the organisation has put in place CAC standard contractual clauses (not yet published) with the data recipient –
likely to be most relied upon in practice; or
for compliance with laws and regulations or other requirements imposed by the CAC;
the data controller has adopted necessary measures to ensure the data recipient’s data processing activities comply with
standards comparable to those set out in the PIPL. In practice this means initial due diligence, sufficient contractual
protections and ongoing monitoring etc.;
notice and separate, explicit consent has been given/obtained (see above) from the data subject (see Collection &
); andProcessing
a PIIA has been conducted (see ).Collection & Processing
The PIPL does not include a specific requirement to keep copies of personal information in the PRC, but the regulators’
expectations in this regard may remain.
However, certain personal information (and non-personal data) must still remain in (and cannot be accessed outside of) the PRC.
This includes (this is not an exhaustive list):
personal information processed by critical information infrastructure operators (CIIOs), unless a CAC-conducted security
assessment has been completed;
personal information processed by data controllers above a threshold/volume to be identified by the CAC (not yet
finalised), unless a CAC-conducted security assessment has been completed;
certain data under industry-specific regulations (such as in the financial services sector and genetic health data); and
certain restricted data categories (such as “state secrets”, some “important data”, geolocation and online mapping data
etc.).
Lingering uncertainty remains about the need for a CAC-conducted security assessment in certain situations. The Draft Guidelines
on Overseas Transfer (published in November 2021) proposes a host of scenarios where this may be the case, including: personal
information processed in the context of certain listing/corporate/restructuring activities; and processing of large volumes of
personal information and/or sensitive personal information. The Draft Network Data Security Management Regulation also
proposes introducing annual data overseas transfer security report to the CAC as well as other record keeping requirements. As
such, organizations should keep developments under review.
Finally, according to the PIPL:
a new publicly-available entity list may be published, listings foreign organisations to whom local PRC organisations may
not transfer personal information, where such transfer may harm national security or public interest;
data controllers must not provide personal information stored within China to overseas legal or enforcement authorities
unless approval is obtained from a designated Chinese authority. It remains unclear whether this extends to, say, requests
from overseas industry regulators; and
the PIPL clarifies that Chinese authorities may provide personal information stored within China to overseas legal or
enforcement authorities upon request, if and to the extent that there are international treaties or regulations in place to
maintain fairness and for mutual benefit.
SECURITY
According to the CSL, DSL and PIPL, organizations must keep personal information confidential and establish a data security
management system. This includes taking appropriate technical and organizational measures against unauthorized or unlawful
processing and against accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level
of security appropriate to the harm that may result from such unauthorized or unlawful processing, accidental loss, destruction
or damage, and appropriate to the nature of the data. Security measures must be deployed, as prescribed by the CSL and DSL and
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/china/collection-and-processing.html
https://www.dlapiperdataprotection.com/countries/china/collection-and-processing.html
https://www.dlapiperdataprotection.com/countries/china/collection-and-processing.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World China 228 | | | www.dlapiperdataprotection.com
their underlying measures, guidelines and technical standards (including the TC260 guidelines). The PIPL includes a specific
obligation on data controllers to adopt corresponding encryption or deidentification technologies, and to adopt access controls
and training.
Systems should also be established to handle complaints or reports about personal information security, publish the means for
individuals to make such complaints or reports, and promptly handle any such complaints or reports received. Organizations must
conduct mandatory data/cyber security training.
Additional security safeguards must be applied to processing of sensitive personal information and organizations deemed CIIOs
(see above).
The CSL implemented a multi-level protection scheme for cybersecurity protection of information systems by network operators.
Information systems are classified into 5 tiers and the security standard goes higher from tier 1 to tier 5. Organizations should
conduct a self-evaluation and determine the tier(s) to which its information systems belong, based on relevant laws, regulations
and guidelines. Filing to the Public Security Bureau is required and, in certain circumstances, assessment by accredited third party
may also be required, depending on the determined tier level of a respective information system. Further national standards and
guidelines have been published to provide further details and requirements on the process and technical aspect of the tiered
system. The DSL proposes introducing a similar tiered-security scheme for classification of data in due course (details have not yet
been published).
If a data controller appoints a data processor to process personal information on its behalf, the data controller should ensure
sufficient measures are adopted by the data processor to protect the personal information: for example, to conduct due diligence
and regular audits on data processor to ensure the data processor adopts sufficient and adequate security measures; and put in
place an appropriate data processing agreement with the data processor.
BREACH NOTIFICATION
Breach notification requirements are contained in the CSL, DSL and PIPL, and should be read together. “Network security
incidents” that are notifiable are defined by reference to seven categories of different incident types. Guidelines set out other
factors that should be considered whether a network security incident is potentially reportable. The China National Internet
Emergency Center may be contacted in case of doubt as to whether an incident is potentially reportable.
An incident must be immediately notified: (i) internally, to the DPO; and (ii) externally, to the regulator (the PIPL refers to the
CAC establishing (local) “personal information protection departments” (PIPD) for such purposes, but this is yet to be confirmed),
and should include:
affected data categories;
reasons for the incident, and potential consequences;
remedial measures, and mechanisms required by data controller to minimize impact; and
contact information for data controller.
If the data controller can effectively avoid the disclosure, loss or tampering of data, the PIPL suggests that there is no need to
notify data subjects. Otherwise (and as per the CSL and DSL) data subjects must be notified immediately if the actual or suspected
network security incident may result in harm to the rights and interest of the affected data subjects. Further, if the PIPD believes it
may cause impact to individuals, they may request that the data controller notifies individuals. Similar information must be given to
the data subjects alongside advice on how to protect against risks arising from the incident.
Further changes are also expected in this regard. Notably, the Draft Network Data Security Management Regulation (intended to
supplement the PIPL) clarifies that incidents involving any of the following must be notified to the CAC and other relevant
regulators within eight hours of the data incident:
personal data of more than 100,000 individuals; or
any important data.
A second report to the CAC is then required within five working days of the incident being resolved.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World China 229 | | | www.dlapiperdataprotection.com
In any case, immediate remedial action must be taken in the event of any suspected or actual data disclosure, loss or tampering.
Organizations should also adopt proactive measures to minimize the risk of personal information breaches or security incidents,
including but not limited to, implementing and testing a data incident contingency plan and organizing training.
We understand the regulators are working on a project to publish further guidelines as to how network security incidents should
be managed.
ENFORCEMENT
Possible enforcement of, and sanctions for, a data protection breach in the PRC will depend on the specific data protection laws
and regulations breached. Sanctions in relation to data protection breaches are scattered across various different laws and
regulations, and the measures described below may not be comprehensive in all situations, as additional laws or regulations may be
applicable depending on the industry or type of information at hand.
Taking the PIPL by way of example, it provides a range of sanctions, including (inter alia):
enforcement notices and warnings;
administrative fines of up to (for the most serious offences) 5% of the previous year’s annual revenue (unclear if local or
global revenue) or up to RMB million, and confiscation of unlawful income. Note the PIPL imposes much higher fines than
under other existing data privacy regulations);
cessation of processing;
suspension of apps and/or services;
suspension of business;
suspension of management/officials role;
criminal sanctions (for certain offences, and under relevant criminal laws);
civil claims;
social credit score or equivalent business credit files may be affected.
While the PIPL has now introduced higher fines, we anticipate that in practice the operational and contractual risks faced by
organisations not complying with China’s data privacy framework – alongside increasing reputational risks – remain very significant
and should be managed very carefully.
ELECTRONIC MARKETING
Direct marketing by electronic means is only possible if the targeted consumers have explicitly consented to receiving such
messages either at the time their electronic address / mobile phone number was collected or at a later time.
Specific information must be stated in each electronic message: for example, the identity of the entity sending the message, and a
mark identifying (which means advertisement in Chinese) or “AD” on a direct marketing message.”Guang ago”
There are also specific rules applicable to direct marketing by text messages (SMS), and certain specific prescribed information
must be provided to data subjects at the time their mobile phone number was collected or prior to sending direct marketing text
messages.
ONLINE PRIVACY
The general compliance obligations applicable to processing of personal information under the PIPL apply to the online (and
offline) environments. In addition, the PIPL imposes additional compliance obligations on organisations that fall into one of the
following categories:
“important internet platform providers”;
data controllers processing data of a “large volume of users”; or
“complex businesses”.
It is still unclear which organisations would fall within these categories, but these organisations must comply with additional
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World China 230 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
measures when processing personal information, namely:
set up personal information protection compliance mechanisms;
set up external independent data protection organisations to supervise data protection mechanisms;
establish platform regulations;
establish and publish processing obligations and processing rules that regulate products and service providers in an open
and fair manner;
stop the provision of products or service providers if they violate the law or regulations as regards processing of personal
information; and
publish from time to time social responsibility reports as regards processing of personal information.
In terms of automated-decision making and profiling:
analytics or evaluation based on computer programme around behavior, interests, hobbies, credit information, health or
decision making activities, must be transparent, open and fair, and should not apply any differential treatment between
individuals; and
any push information or business marketing should not be directed to an individual’s character and should provide
individuals with a convenient way to opt out.
As well as the PIPL, the CSL, Consumer Protection Law and E-Commerce Law offer protection to consumer / user personal
information. As well as personal information protection, under these rules data controllers should strengthen management of
information provided by users, prohibit the transmission of unlawful information and take necessary measures to remove any
infringing content, then report to supervisory authorities. Sufficient notice and adequate consent should be obtained from data
subjects prior to the collection and use of personal information. Further obligations are imposed on mobile apps providers
including but not limited to conducting real-name identification, undertaking information content review.
In recent years, the regulators have also issued a range of guidelines targeting mobile app providers. These guidelines introduce
specific data protection and privacy obligations aiming to regulate the data collection practices and processing activities of mobile
app providers. There has also been a crackdown against (suspected) non-compliant mobile apps. Organisations are advised to
review their app compliance as a matter of priority.
Data subject rights (under the PIPL and other laws within the personal information framework), include rights to access and obtain
information about their data held and processed, to correct their data, to request deletion of data in the event of a data breach, to
object to automated decision-making and to de-register their account etc. Most importantly is the right to withdraw consent to
personal information processing.
There are currently no specific requirements regarding cookies within existing laws or regulations in the PRC. However, the use
of cookies and / or similar tracking technologies, to the extent they constitute processing of personal information, should be
notified to data subjects as part of a privacy policy and adequate consent should be obtained from data subjects for such use.
Further information
See our for more information on China’s evolving cybersecurity and data protection landscape.Navigating China series
https://www.dlapiperdataprotection.com
https://www.dlapiper.com/insights/publicationseries/navigating-china
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World China 231 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Carolyn Bigg
Partner, Global Co-Chair of Data Protection, Privacy and Security Group
T +852 2103 0576
carolyn.bigg@dlapiper.com
Venus Cheung
Registered Foreign Lawyer
T +852 2103 0572
venus.cheung@dlapiper.com
Fangfang Song
Consultant
T +86 1085200673
fangfang.song@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Colombia 232 | | | www.dlapiperdataprotection.com
COLOMBIA
Last modified 24 January 2022
LAW
Colombia recognizes two fundamental personal data rights under Articles 15 and 20 of its Constitution: (1) the right to privacy
and (2) the right to data rectification. Personal data processing is further regulated by two statutory laws and several decrees that
set out data protection obligations.
Statutory Law 1266 of 2008 (Law 1266) regulates the processing of financial data, credit records and commercial information
collected in Colombia or abroad. Law 1266 defines general terms on habeas data and establishes basic data processing principles,
data subject rights, data controller obligations and specific rules for financial data.
Law 1266 defines the terms Data Subject, Data Source, User of Data and Data Operator, as follows:
‘Data Subject’ means the owner of the information;
‘Data Source’ means a person or entity who receives or collects the information in the context of a commercial
relationship with the Data Subject and shares this information with the Data Operator;
‘User of Data’ means a person or entity who accesses databases and uses the information gathered by the Data Operator;
‘Data Operator’ means a person who manages a database with information provided by the Data Sources and shares it
with Users of Data, under the rules provided by Law 1266. The most common example of a Data Operators is a Credit
Bureau.
Law 1266 provides the applicable rules and conditions for Data Sources to share information with Data Operators and for such
Data Operator to manage and share the information with Users of Data. Notwithstanding this, the Law privileges processing for
purposes of managing financial, credit, commercial and services information, considering that this benefits the financial and credit
activity as a public interest activity.
Law 1266 was amended by Law 2157 of 2021. The main modifications introduced by Law 2157 are the following:
Data whose content refers to the time of default of an individual or a company, or data that refers to a lack of compliance
with monetary obligations, shall be erased immediately or as promptly as possible. This erasure requirement applies mainly
to small companies, small farmers, armed conflict victims, young people, women from rural areas, and other debtors who
are in special situations, with the specificities foreseen in the Law.
The obligation to update credit scores was created, provided that any negative data is erased.
The Law established that the frequent consultation of a person’s credit history should not be a factor for lowering their
credit rating.
Claims and requests concerning the processing of financial data must be resolved within fifteen (15) working days from the
date of receipt of the communication. If a prompt resolution is not given within this timeframe, the request is presumed
accepted for all legal purposes.
Financial data, credit records, and commercial information may not be used in making employment decisions.
The Law introduced the principle of accountability for the processing of financial information. This update implies the Data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Colombia 233 | | | www.dlapiperdataprotection.com
Source and the Data Operator should adopt internal policies to guarantee the safety and confidentiality of the information.
Furthermore, Statutory Law 1581 of 2012 (Law 1581) regulates all personal data processing, as well as databases. Law 1581
defines special categories of personal data, including sensitive data and data collected from minors. Under the law a ‘Data
Controller’ is a legal or natural person responsible for data treatment, or processing, and a ‘Data Processor’ is a legal or natural
person in charge of personal data processing. The Data Controller creates databases on its own or in association with others,
while the Data Processor processes personal data on behalf of the Data Controller. Nevertheless, an entity may be regarded as
both Controller and Processor of personal data.
The law further regulates the obtention of authorization to treat personal data and the procedures for data processing. Moreover,
the law creates the National Register of Data Bases (NRDB).
Law 1581 is applicable to all data collection and processing in Colombia, except data regulated under Law 1266 and certain other
types of data or regulated industries. The law is further applicable in any case where a data processor or controller is required to
apply Colombian law under international treaties.
Law 1581 does not regulate:
Databases regulated under Law 1266;
Personal or domestic databases;
Databases aimed to protect and guarantee national security, prevent money laundering and terrorism financing;
Intelligence and counter-intelligence agency databases;
Databases with journalistic information and editorial content; and
Databases regulated under Law 79 of 1993 (on population census).
Law 1581 further requires Data Controllers and Data Processors to guarantee that personal data: is maintained pursuant to strict
security measures and confidentiality standards, will not be modified or disclosed without the data subject’s consent, and will only
be used for purposes identified in a privacy policy or notice.
Decree 1377 of 2013 (Decree 1377), is a piece of secondary regulation related to Law 1581 which outlines requirements for
personal and domestic databases regarding authorization of personal data usage and recollection, limitations to data processing,
cross-border transfer of data bases and privacy warnings, among others. This Decree also requires controllers and processors to
adopt a privacy policy and privacy notice.
Decree 886 of 2014 (Decree 886) and Decree 090 of 2018 (Decree 090) issued by the Ministry of Commerce, Industry and
Tourism as well as the Resolution 090 of 2018 issued by the Superintendence of Industry and Commerce, regulate the National
Register of Data Bases and sets deadlines for registration of existing data bases in Colombia.
DEFINITIONS
The Colombian data protection regime distinguishes between personal data and a sub-category of sensitive personal data,
depending on the information and the harmful effects caused by its unlawful use. Law 1266 and Law 1581 contain particular rules
related to sensitive personal data.
Definition of personal data
Under Law 1266, personal data is defined as any information related to or that may be associated with one or several determined
or determinable natural or legal persons. Personal data may also be regarded as public, private or semi-private data. Public data is
available to the public based on a legal or constitutional mandate. Private or semi-private data is data that does not have a public
purpose, is intimate in nature and the disclosure of which concerns only the data subject.
Under Law 1581, personal data is defined as any information related to, or that may be related to, one or several determined or
determinable individuals, meaning natural persons only.
Definition of sensitive personal data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Colombia 234 | | | www.dlapiperdataprotection.com
Under Law 1266, sensitive personal data is defined as data that due to its sensitivity is only relevant to its owner.
Under Law 1581, sensitive personal data is any data that affects its owner’s intimacy or whose improper use might cause
discrimination. Data that reveals any of the below information is considered sensitive data and its processing is prohibited by law:
Ethnic or racial origin
Political orientation
Religious or philosophic convictions
Membership in labor unions, human right groups or social organizations
Membership in any group that promotes any political interest or that promotes the rights of opposition parties
Information regarding health and sexual life, and
Biometrics
Sensitive personal data shall only be processed:
With the Data Subject’s special and specific consent
If necessary to preserve the data subject’s life, or a vital interest and the Data Subject is physically or legally unable to
provide consent
If used for a legitimate activity and with all necessary security measures, by an NGO, an association or any kind of
nonprofit entity, in which case, the entity will need the Data Subject’s consent to provide the sensitve personal data to
third parties
If such data is related to or fundamental to exercising a right in the context of a trial or any judicial procedure, or
If such data has a historic, statistical or scientific purpose, in which case the Data Subject’s identity may not be disclosed
NATIONAL DATA PROTECTION AUTHORITY
According to Law 1266, there are two different authorities on data protection and data privacy matters. The first of them, which
acts as a general authority, is the Superintendent of Industry and Commerce (SIC). The second authority is the Superintendence of
Finance (SOF), which acts as a supervisor of financial institutions, credit bureaus and other entities that manage financial data or
credit records and verifies the enforcement of Law 1266.
Nevertheless, under Law 1581, the SIC is the highest authority regarding personal data protection and data privacy. It is
empowered to investigate and impose penalties on companies for the inappropriate collection, storage, usage, transfer and
elimination of personal data.
REGISTRATION
Law 1581 created the National Register of Data Bases (NRDB). Databases that store personal data and whose automated or
manual processing is carried out by a natural or legal person, whether public or private in nature, in the Colombian territory or
abroad, shall be registered in the NRDB. Database registration is also required if Colombian law applies to the data controller or
data processor under an International Law or Treaty. Registration is mandatory for data controllers that are either of the
following:
Companies or nonprofit entities that have total assets valued above 100,000 Tax Value Units (TVU), meaning COP
3.800.400.000 million (USD 950.100)
Legal persons of public nature
Decree 866 states that each data controller shall register each one of its databases, independently and must distinguish between
manual and automatized databases. In addition, in order to register each database, the data controller or data processor shall
provide the following information:
Identification information of the data controller, such as: business name, tax identification number, location and contact
information
Identification details of the data processor, such as: business name, tax identification number, location and contact
information
[1]
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Colombia 235 | | | www.dlapiperdataprotection.com
i.
ii.
Contact channels to grant data subjects rights
Name and purpose of the database
Form of processing (manual / automatized)
Security standards
Privacy policy
All data bases were required to register by January 31, 2019. Any new data base(s) shall be registered within the 2 months
following its creation.
Any substantial change to any of the abovementioned items, shall be updated in the National Registry of Data Bases. For this
purpose, substantial changes are considered as any changes that are made in regards to the purposes of the databases, the data
processors, the channels to process any claim or request from the data subject, the class or type of personal data, the security
measures implemented, the data privacy policy and/or the international transfer or transmission of personal data.
Such updates shall be made:
i. Within the 10 first days of the month in which the substantial change was made,
and
ii. Yearly (between January 2 and March 31 of each year).
Moreover, through the National Register of Data Bases, data controllers shall inform of the following:
Any claim submitted by a data subject to the data controller and/or data processor, within each semester of the year. This
information shall be registered within the first 15 business days of February and August of each year with the information
of the previous semester.
Any breaches of registered data bases. Such report shall be submitted within the 15 business days following the day on
which the data controller had knowledge of the data breach.
Footnote 1: Based on the Tax Value Unit for 2022 (COP $38.004 (approximately USD 9.5)). The Tax Value Unit is updated yearly
by the Colombian tax authority.
DATA PROTECTION OFFICERS
There is no requirement to appoint a formal data protection officer in Colombia. However, companies are required to appoint
either a specific person, or a designated group within the company to be in charge of personal data matters, specifically the
handeling of Data Subject rights and privacy request .
COLLECTION & PROCESSING
The processing of financial data, credit records and commercial information, collected in Colombia or abroad, does not require
authorization from the Data Subject. However, this information may only be disclosed to:
The Data Subject or authorized third parties, pursuant to the procedure established by law
The Users of the Data
Any judicial or jurisdictional authority upon request
Any control or administrative authority, when an investigation is ongoing
Data processors, with the Data Subject’s authorization, or when no authorization is needed , and the database aims for
the same objective or involves an activity that may cover the purpose of the disclosing data processor
On the contrary, Law 1581, requires the authorization of the Data Subject for the data controller to process private and
semi-private personal data. For the authorization to be valid it must be obtained prior to the data processing and must be
“informed”, meaning that the data subject must have been made aware of the exact purposes for which the data is being
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Colombia 236 | | | www.dlapiperdataprotection.com
processed. Decree 1377 requires the following:
Personal data shall only be collected and processed in accordance with the purposes authorized by the Data Subject.
Such authorization may be obtained by any means, provided that it allows subsequent consultation.
Authorization is not required when:
A public or administrative entity demands the information through a judicial order or exercising its legal duties.
It is public data.
A medical or sanitary urgency requires the processing of personal data.
The data processing is authorized by law for historical, statistical or scientific purposes.
The data is related to people’s birth certificates.
Regarding sensitive personal data, Section 6 of Decree 1377 states that the data controller shall do the following:
Expressly inform the Data Subject that he or she is not compelled to provide sensitive personal data
Expressly identify what data to be collected and processed is sensitive and
Obtain the Data Subject’s express consent prior to the processing of their sensitive personal data
In any case, silence is not considered a reasonable means of obtaining authorization for personal data or sensitive personal data
processing.
Furthermore, when collecting personal data of children, both the data controller and the data processor shall ensure that personal
data processed serves and respects the children’s superior interests and guarantees their fundamental rights. For these purposes,
the child’s legal representative (parent or guardian) must authorize the processing of their child’s personal data.
Privacy policy and privacy notice
Decree 1377 establishes the obligation for data controllers to develop a privacy policy that governs personal data processing and
ensures regulatory compliance. For this reason, privacy policies are mandatory for all data controllers and shall be clearly written;
Spanish is recommended. Finally, according to the Decree 1377, the minimum requirements for the privacy policy are:
Name, address, email and phone number of the data controller
Processes and handling of data and the purpose of such processing
Rights of the Data Subject
Individual or department within the data controller that is responsible for the attention to requests, consultations and
claims to update, rectify or suppress data and to revoke authorization
Procedure to exercise the abovementioned rights, and
Date of creation and effective date
The privacy notice is a verbal or written communication by the data controller, addressed to the data subject, for processing
her/his personal data. In this communication, the data subject is informed about the privacy policies of the data controller, the
manner to access them and the purposes of the treatment.
TRANSFER
Per Law 1581, the transfer of personal data occurs when the data controller or the data processor located in Colombia sends the
personal data to a recipient, in Colombia or abroad, who is responsible for the personal data, , a data controller.ie
Cross-border data transfers are prohibited unless the country where the data will be transferred to provides at least equivalent
data privacy and protection standards and adequate safeguards to those provided by Colombian law. In this regard, adequate levels
of data protection will be determined in accordance with the standards set by the SIC.
This restriction does not apply in the following cases:
If the Data Subject expressly consented to the cross-border transfer of data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Colombia 237 | | | www.dlapiperdataprotection.com
Exchange of medical data
Bank or stock transfers
Transfers agreed to under international treaties to which the Colombia is a party
Transfers necessary for the performance of a contract between the Data Subject and the controller, or for the
implementation of pre-contractual measures, provided the data owner consented, and
Transfers legally required in order to safeguard the public interest
Therefore, the data controller requires the authorization of the Data Subject for transferring the personal data abroad, unless such
transfer is to one of the following countries which, according to the SIC, meet the standard of data protection and security levels.
Authorized countries for international transfer of personal data
Albania
Argentina
Austria
Belgium
Bulgaria
Canada
Costa Rica
Croatia
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungry
Iceland
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malta
Mexico
Netherlands
New Zealand
Norway
Perú
Poland
Portugal
Republic of Korea
Romania
Serbia
Slovakia
Slovenia
Spain
Sweden
Switzerland
United States
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Colombia 238 | | | www.dlapiperdataprotection.com
1.
2.
3.
United Kingdom
Uruguay
The SIC also considers that personal data can be transferred to any country regarding which the European Commission considers
to meets its standard for levels of protection.
Transfer of personal data
The transfer of personal data takes place when the data controller provides personal data to a data processor, in Colombia or
abroad, in order to allow the data processor to process the personal data on behalf of the data controller. The data subject’s
consent is required for the transfer of data, unless an adequate data transfer agreement between the data processor and the data
controller is in place.
In this regard, Decree 1377 requires that the aforementioned agreement include the following clauses:
The extent and limitations of the data treatment
The activities that the data processor will perform on behalf of the data controller, and
The obligations the data processor has to data subjects and the data controller
The data processor has three additional obligations when processing personal data:
Process data according to the legal principles established in Colombian law
Guarantee the safety and security of the databases
Maintain strict confidentiality of the personal data
A data controller transferring data to a data processor must identify the data processor in the National Database Register for each
database transferred. Finally, the data processor must process the personal data in accordance with the data controller’s privacy
policy and the authorization given by the data subject.
SECURITY
Data controllers have the legal duty of guaranteeing that the information under their control is kept under strict security
measures. For this reason, data controllers shall ensure that such information will not be manipulated or modified without the
Data Subject’s consent . For this purpose, the data controller shall develop an information security policy that prevents the
unauthorized access, the damage or loss of information, including personal data.
BREACH NOTIFICATION
Under section 17. and section 18. of Law 1581, both the data controller and the data processor shall notify the authority (SIC) in
case of a breach of security, security risk, or a risk for data administration.
ENFORCEMENT
Since privacy and proper maintenance of personal data are fundamental constitutional rights in Colombia, every citizen is entitled
to pursue protection before any Colombian judge, via constitutional action. Any judge may order a private or public entity to
modify, rectify, secure or delete personal data if it is kept under conditions that violate constitutional rights. Constitutional actions
can take up to ten days to be resolved and an order issued and failure to comply may result in imprisonment of the legal
representative of the violating entity.
The Criminal Code of Colombia sets out in section 269F that anyone who, without authorization, seeking personal or third party
gain, obtains, compiles, subtracts, offers, sells, interchanges, sends, purchases, intercepts, divulges, modifies or employs personal
codes or data contained in databases or similar platforms, will be punishable by 48 to 96 months of prison, and a fine of
approximately USD 26,700 to USD 267,000.
Finally, since SIC is an administrative and jurisdictional authority, it is allowed to investigate (as mentioned above), request
information, initiate actions against private entities, and impose fines up to approximately USD 534,000, and order or obtain
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Colombia 239 | | | www.dlapiperdataprotection.com
temporary or permanent foreclosure of the company, entity or business.
ELECTRONIC MARKETING
Law 527 of 1999 (Law 527) regulates e-commerce and electronic marketing, but there is no specific regulation regarding data
privacy on electronic marketing. In any case, the Data Subject’s consent is required for marketing, whether electronic or not and
the processing of any personal data for this purpose shall be in accordance with Law 1581.
ONLINE PRIVACY
There is no specific regulation regarding online processing of personal data. Thus, online privacy and data processing is governed
by Law 1581.
Personal data must not be available online unless there are adequate security measures to ensure that access by any unauthorized
user is restricted.
Collection and use of data collected through cookies or similar online tracking tools is prohibited unless the Data Subject has
provided consent. Such consent may be obtained by a pop-up informing the user about the company’s privacy policy and ways for
the Data Subject’s to review, manage or disable cookies.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Maria Claudia Martinez Beltrán
Partner
DLA Piper Martinez Beltrán
T +57 3174720
mcmartinez@dlapipermb.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Costa Rica 240 | | | www.dlapiperdataprotection.com
COSTA RICA
Last modified 24 January 2022
LAW
Data privacy regulation in Costa Rica is contained in two laws, the “Laws”: Law No. 7975, the Undisclosed Information Law, which
makes it a crime to disclose confidential and/or personal information without authorization; and Law No. 8968, Protection in the
Handling of the Personal Data of Individuals together with its by-laws, which were enacted to regulate the activities of companies
that administer databases containing personal information. Therefore, the scope of the second law is limited.
The Costa Rican Congress is currently discussing a bill, which would fully amend the Laws currently in effect. Such bill was
presented to local Congress in January 2021 and is still under discussion.
The proposed bill aims to update the Laws and align its provisions to the principles contained in the EU General Data Protection
Regulation (GDPR). It is still unclear when and if the proposed bill will be enacted.
DEFINITIONS
Definition of personal data
Personal information contained in public or private registries ( , medical records) that identifies or could be used to identify aeg
natural person. Personal information can only be disclosed to persons or entities with a need to know such information.
Definition of sensitive personal data
Personal information related to the personal sphere of an individual, including racial origin, political opinion, religious or spiritual
convictions, socioeconomic condition, biomedical or genetic information, sex life and sexual orientation, among others. Sensitive
personal data cannot be disclosed without express prior authorization from the data subject.
NATIONAL DATA PROTECTION AUTHORITY
Pursuant to Law No. 8968, the Agency for the Protection of Individual’s Data (PRODHAB) is the entity charged with enforcing
compliance with the Laws.
The Constitutional Court and local civil courts also have jurisdiction to hear claims alleging violations of the Laws.
REGISTRATION
Under Law 8968, companies that manage databases containing personal information and that distribute, disclose or commercialize
such personal information in any manner must register with the Agency.
Entities that manage databases containing personal information for internal purposes do not need to be registered with
PRODHAB.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Costa Rica 241 | | | www.dlapiperdataprotection.com
Databases managed by financial institutions subject to control and regulation from the Superintendent of Financial Entities of Costa
Rica do not need to be registered with the Agency.
In-house databases are outside the scope of enforcement of the Laws.
DATA PROTECTION OFFICERS
There is no requirement for a data protection officer.
COLLECTION & PROCESSING
Any company may store personal information and manage a database containing it if the following rules are respected:
When collecting personal information, private companies and/or the government must respect the “sphere of privacy” to
which all individuals are entitled
Such companies must obtain prior, unequivocal, express and valid consent from the owner of the personal information or
his or her representative. Such consent must be written (either handwritten or electronic)
Companies that maintain personal information about others in their databases must ensure that such information is:
Materially truthful
Complete and
Accurate
Data subjects must be given access to their personal information and are entitled to dispute any erroneous or misleading
information about them at any time
Companies that manage databases containing personal information and that distribute, commercialize or widespread such
personal information in any manner, must comply with Law 8968. Particularly, they must comply with the following:
Report and register the company and the database with PRODHAB
Report the technical measures to secure the database
Protect and respect confidentiality of personal information
Secure the information contained in the databases
Establish a proceeding to review requests filed by data subjects for the amendment of any error or mistakes in the
database
TRANSFER
The transfer of personal information is authorized by the Laws if the data subject provides prior, unequivocal, express and valid
written consent to the company that manages the database. Such transfers cannot violate the principles and rights granted in the
Laws. Also, there are specific limitations regarding cross-border transfers of personal information.
The transfer of personal information from the person responsible for a database to a service supplier, technological intermediary,
or entities in the same economic interest group is not considered a transfer of personal information and thus does not need
authorization from the data subject. Also, the transfer of public information (which can be generally accessed) does not need
authorization from the data subject.
SECURITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Costa Rica 242 | | | www.dlapiperdataprotection.com
Any company or individual using and / or managing personal information must take all necessary steps (technical and
organizational) to guarantee that the information is kept in a secure environment, and must issue an internal protocol indicating all
the procedures that shall be followed during the recollection, storage and use of such information.
If security is breached because of improper management or protection, then the responsible company may be held liable, and may
be subject to penalties and civil liability for any harm.
BREACH NOTIFICATION
Any entity managing personal data must inform PRODHAB and the data subject about any breach of personal information
within five business days after the time of the breach.
In the notification, the entity must provide to PRODHAB and the data subject the following information:
Nature of the breach;
Personal data compromised by the breach;
Immediate corrective actions taken by the entity;
Other preventive and corrective actions that will be taken;
Contact information to obtain further information.
ENFORCEMENT
PRODHAB has begun to enforce the obligations established under the Laws. Individuals may file their claims directly with
PRODHAB, which may initiate an administrative procedure against the database manager.
In 2019, PRODHAB received more than 230 complaints (the highest number in history) regarding potential breaches to data
protection regulations.
ELECTRONIC MARKETING
General rules of data protection will apply. There is little to no regulation of electronic marketing.
Notwithstanding the above, the Telecommunications Act set the scope and the mechanisms of regulation for telecommunications
(including e-marketing), by describing the data subject’s rights, interests and privacy protection policy. Therefore, pursuant to such
Act, marketing companies may not advertise via phone nor email unless they obtain prior and express written consent from the
data subject. If such companies do not comply with such condition, they might be sanctioned with a fine that can be between
0,025% and 0,5% of the income of the company of the last fiscal year.
ONLINE PRIVACY
There has been little to no regulation in this area. However, the general rules of data protection issued by the Constitutional
Court, with respect to the collection and processing of personal information, apply.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Costa Rica 243 | | | www.dlapiperdataprotection.com
KEY CONTACTS
FACIO & CAÑAS
www.fayca.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Carlos J. Oreamuno
Partner
Facio & Cañas
T +(506) 2233 9202
coreamuno@fayca.com
Sergio A. Solera
Partner
Facio & Cañas
ssolera@fayca.com
https://www.dlapiperdataprotection.com
http://www.fayca.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Croatia 244 | | | www.dlapiperdataprotection.com
CROATIA
Last modified 12 January 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The Act on the Implementation of the General Data Protection Regulation (in Croatian as Zakon o provedbi Ope uredbe o
) was enacted in the Croatian Parliament on April 27, 2018 and came into force on May 25, 2018 (the ‘zaštiti podataka Act
’).
Also, the Act on Healthcare Data and Information, which came into force on 15 February 2019, regulates rights,
obligations and responsibilities of legal and natural persons within the Croatian healthcare system with respect to
healthcare data and information and, inter alia, sets out fundamental principles and standards of their collection, processing
and protection.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Croatia 245 | | | www.dlapiperdataprotection.com
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The Act refers to all definitions as stated in the GDPR.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
Croatian Personal Data Protection Agency (in Croatian as ).Agencija za zaštitu osobnih podataka
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Croatia 246 | | | www.dlapiperdataprotection.com
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
The Act does not impose any special registration requirements, save for those imposed by the GDPR.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
The Act does not contain any special requirements related to data protection officers, other than those imposed by the
GDPR. AZOP however must be informed on appointment and change of the DPO.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Croatia 247 | | | www.dlapiperdataprotection.com
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Croatia 248 | | | www.dlapiperdataprotection.com
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to ‘re-purpose’ personal data – i.e. use data collected for one purpose for a new purpose which
was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle
of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Croatia 249 | | | www.dlapiperdataprotection.com
a.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognised by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Croatia 250 | | | www.dlapiperdataprotection.com
a.
b.
c.
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
In application of the possibility left to Member States to deviate from the provisions of the GDPR, the Act provides the
following obligations with regards to the collection and processing of personal data:
Processing of Genetic Data
The Act forbids any processing of genetic data for the purposes of life insurance calculations and entering into life
insurance agreements. Consent given by data subjects does not validate this restriction.
Processing of Biometric Data
Public authorities and private entities may process biometric data only if such processing is defined by law and is necessary
for the protection of persons, assets, classified information or professional secrets, provided that the interests of data
subjects that contravene such processing do not prevail. Processing of biometric data necessary for fulfilment of
international treaties related to identification of data subjects during crossing of state borders is considered as lawful.
Private entities may process biometric data for the purposes of safe identification of users of services, only based on
explicit consent given by the users in accordance with the provisions of the GDPR.
Processing of biometric data (eg fingerprints, eye-scans) for the purposes of working time recording or entry/exit of
working premises is allowed only on the basis of a legal obligation or if the employer has provided an alternative
mechanism for such purposes (e.g. signature list) and the data subjects provided an explicit consent in accordance with the
provisions of the GDPR.
Processing of Personal Data through Video Surveillance
Data controllers (or processors) must provide a clear notification to data subjects that premises (or part of it) is under
video surveillance. Such notification must be visible while entering the perimeter of surveillance at the latest, and contain
the information provided in Article 13 of the GDPR. Also, a clear and understandable photograph (sticker) must be
attached to the notification containing:
a notice that the object is under video surveillance
information on the data controller, and
contact details of the data controller for possible complaints
Records of video surveillance may be kept for 6 months, unless a special law or regulation provides a longer period.
In relation to work premises, such premises may be put under video surveillance by the employer only if the conditions
under the work safety regulations have been met, and all employees have been notified in advance on the existence of
video surveillance. Premises intended for rest, hygiene and changing room may not be put under video surveillance.
In relation to residential buildings, video surveillance may be installed in such buildings under the condition that 2/3 of all
owners agree. However, only access to the building’s entrance and exit and common premises (eg stairways) may be put
under video surveillance. Video surveillance used for the purposes to control the effectiveness of cleaners and other staff
working in residential building is forbidden.
TRANSFER
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Croatia 251 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
a.
b.
c.
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
The Act does not contain any special transfer requirements other than those prescribed by the GDPR.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Croatia 252 | | | www.dlapiperdataprotection.com
c.
d.
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
The Act does not contain any special security requirements other than those prescribed by the GDPR.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The Act does not contain any special breach notification requirements other than those prescribed by the GDPR.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Croatia 253 | | | www.dlapiperdataprotection.com
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
The Croatian Personal Data Protection Agency is the enforcement body in Croatia competent for matters related to
privacy and personal data. Its decisions may be challenged by initiating administrative litigation at the competent
administrative court.
Administrative fines may not be imposed to public authorities and bodies.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Croatia 254 | | | www.dlapiperdataprotection.com
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
Electronic marketing is regulated by the DP Law. A data controller has to inform a data subject in advance on intention to collect
and process his/her data for marketing purposes. A data subject can decline to give his / her consent for the respective processing.
However, even if a data subject consents to the particular processing for the respective purposes, the processing is allowed only
for as long as the data subject does not oppose the same (opt-out provisions are commonly used in consent forms).
The Act does not contain any special electronic marketing requirements other than those prescribed by the GDPR. It sets
the consent age limit for offering of information society services to children to 16.
ONLINE PRIVACY
All rules on data protection are applicable to the electronic communication and online privacy as well. AZOP is in charge of
control of all online data processing.
Online privacy and cookies are regulated by the Electronic Communications Act (‘Official Gazette of the Republic of Croatia’, nos.
73/2008, 90/2011, 133/2012, 80/2013, 71/2014 and 72/2017) which has implemented Directive 2002/58/EZ on personal data
processing and privacy protection in electronic communications sector.
Usage of electronic communication network for data storage or access to already stored data in terminal data subject equipment
is allowed only with a data subject’s consent after he / she was clearly and completely informed on the purpose of the data
processing (opt-in option).
The Act does not contain any special online privacy requirements other than those prescribed by the GDPR.
KEY CONTACTS
Boris Dvoršćak
Attorney-at-law
Ilej & Partners law firm ltd.
T +385 1 5634 111
boris.dvorscak@ilej-partners.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Croatia 255 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cuba 256 | | | www.dlapiperdataprotection.com
CUBA
Last modified 16 February 2022
LAW
Cuba does not have its own data protection law.
Cuba regulates data privacy and protection issues, in general, under the following normative:
Constitution of the Republic of Cuba (2019) .- article 97
Decree-Law 35/2021 “On Telecommunications, Information and Communication Technologies and the use of the
Radioelectric Spectrum”.
Decree-Law No. 370/2018 “On the Computerization of the Society in Cuba”.
Decree 360/2019 “On the Security of Information and Communication Technologies and the Defence of National
Cyberspace”.
Resolution No. 99/2019 “Regulation for private data networks”.
Others rules:
Regulation for the production of computer programs and applications and the evaluation of their quality (2019).
System for registration of computer programs and applications (2019).
Regulation with the control measures and the types of security tools that are implemented in private data
networks (2019).
Regulation with the control measures and the types of security tools that are implemented in private data
networks (2019).
Regulation of the provider of public accommodation and hosting services in the internet environment (2019).
Regulation of the provider of public accommodation and hosting services in the internet environment (2019).
Information and communication technology security regulation (2019).
Methodology for Information Security Management (2019).
DEFINITIONS
Definition of Personal Data
In the regulatory order, the information is approached in a general sense oriented to the preservation of the confidentiality,
integrity and availability of the same, and focuses on establishing rules that regulate the management and treatment of information
in general, especially related to cybersecurity issues.
Definition of Sensitive Personal Data
Cuban rules do not provide for an express definition of sensitive personal data.
NATIONAL DATA PROTECTION AUTHORITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cuba 257 | | | www.dlapiperdataprotection.com
Ministry of Communications.
REGISTRATION
No requirements.
DATA PROTECTION OFFICERS
There is no general requirement under binding Cuban rules for organisations to appoint a data protection officer.
COLLECTION & PROCESSING
Generally, entities must obtain prior express consent from data subjects and provide prior notice to the Ministry of
Communications to lawfully collect and process personal data. However, data subject consent is not required in certain
circumstances provided by Cuba rules.
TRANSFER
Nothing in the Cuba rules is established concerning transfer.
SECURITY
Organisations must take appropriate technical and organisational measures against unauthorised or unlawful processing and against
accidental loss, destruction of, or damage to, personal information. The measures taken must ensure a level of security
appropriate to the harm that may result from such unauthorised or unlawful processing, accidental loss, destruction or damage,
and appropriate to the nature of the data.
BREACH NOTIFICATION
The Ministry of Communications, in coordination with other authorities, establishes the Program for Strengthening Cybersecurity
and coordinates participation in activities required for this purpose and implements its control and inspection.
The Cuba rules introduced a general requirement for the reporting and notification of actual or suspected personal information
breaches. Where personal information is leaked, lost or distorted (or if there is a potential for such incidents), organisations must
promptly take relevant measures to mitigate any damage and notify the relevant data subjects and report to the relevant
government agencies in a timely manner in accordance with relevant provisions.
Mandatory breach notification
All breaches must be reported according to a four-level security scheme.
ENFORCEMENT
The competent authority for the enforcement of Data Protection rules is the Ministry of Communications, in coordination with
the Ministry of Interior, Cuban Central Bank, and other authorities.
ELECTRONIC MARKETING
Natural and legal persons that provide goods and services for digital media are obliged to develop a technically safe environment
for commercial transactions in which they operate, in accordance with current legislation.
ONLINE PRIVACY
There is nothing established about online privacy, or cookies, or location data.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cuba 258 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Mercatoria
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Aldo Alvarez
Director
Mercatoria
T +53 58050722
aalvarez@mercatoria.net
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Curaçao 259 | | | www.dlapiperdataprotection.com
CURAÇAO
Last modified 21 December 2021
LAW
National ordinance personal data protection , National Gazette 2010,(Landsverordening bescherming persoonsgegevens
Consolidated text no. 84) “(National Ordinance Personal Data Protection”);
General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on
May 25, 2018 – may have implications for a data controller / data processor as the extra-territorial reach of the GDPR is
not only relevant to businesses established in the European Union but also to international businesses established in
Curaçao which offer goods or services to individuals in the European Union or monitor their behaviour in the European
Union.
DEFINITIONS
Definition of Personal Data
National Ordinance Personal Data Protection
According to the Explanatory Memorandum on the National Ordinance Personal Data Protection the term personal data has a
broad meaning. This does not only concern data that can identify a person, but concerns any data that can be associated with a
particular person; it is foreseeable that under certain circumstances data can be traced to one person through systematic
comparison and lengthy investigations. Personal identifiable confidential data is therefore not only limited to home address, email
address, telephone number, membership number and/or identity number.
GDPR
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one
who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
Definition of Sensitive Personal Data
National Ordinance Personal Data Protection
A person’s religion or belief, race, political views, health, sexual life as well as personal data concerning membership of a trade
union.
GDPR
Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic
data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Curaçao 260 | | | www.dlapiperdataprotection.com
NATIONAL DATA PROTECTION AUTHORITY
National Ordinance Personal Data Protection
The Personal Data Protection Committee as referred to in article 42 of the National Ordinance Personal Data Protection.
GDPR
An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The
authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of
natural persons in relation to processing and to facilitate the free flow of personal data within the EU.
REGISTRATION
National Ordinance Personal Data Protection
No registration required.
GDPR
Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data
processing activities carried out by the company.
DATA PROTECTION OFFICERS
National Ordinance Personal Data Protection
Pursuant to article 13 of the National Ordinance Personal Data Protection the responsible party shall execute appropriate
technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures
shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view
of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at
preventing unnecessary gathering and further processing of personal data.
Besides the measures above, the National Ordinance Personal Data Protection does not contain any clauses on any type of
registration, filings of documents to any public agency or having a mandatory data protection officer in place.
GDPR
The appointment of a data protection officer under the GDPR is only mandatory in three situations:
When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal
convictions.
COLLECTION & PROCESSING
National Ordinance Personal Data Protection
Collection: a natural or legal person, public authority, agency or other body which who has control over a person registration.
Processor: a natural or legal person, public authority, agency or other body which who owns all or part of the has equipment in
his possession, with which a personal registration of which he is not the holder.
GDPR
Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Curaçao 261 | | | www.dlapiperdataprotection.com
purposes, like a website that markets to users based on their online behaviour.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the
controller. Processors act on behalf of the relevant controller and under their authority.
TRANSFER
National Ordinance Personal Data Protection
Contains no clauses.
GDPR
The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the
rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions
applies.
SECURITY
National Ordinance Personal Data Protection
Pursuant to article 13 of the National Ordinance Personal Data Protection the responsible party shall execute appropriate
technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures
shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view
of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at
preventing unnecessary gathering and further processing of personal data.
GDPR
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as
well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor
shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32
GDPR).
BREACH NOTIFICATION
National Ordinance Personal Data Protection
Contains no specific clauses.
GDPR
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after
having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55
GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
ENFORCEMENT
National Ordinance Personal Data Protection
Pursuant to article 54 the responsible party who acts in contravention of the provisions of or pursuant to Article 4(3) may be
penalized by the Curaçao committee of data protection with a financial penalty in the maximum amount of Naf. 10,000.00 (USD.
5,714.29. 2).
GDPR
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Curaçao 262 | | | www.dlapiperdataprotection.com
The GDPR holds a variety of potential penalties for businesses.
For example, article 77 of GDPR states that:
“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her
habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data
relating him or her infringes this Regulation.”
Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the
data subject has his or her habitual residence.”
Penalties
Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in article 82 of the Regulation,
for the damage they’ve“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation”
suffered.
Fines
Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the
level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur
administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is
greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover).
Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional
penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only
guidelines in article 84 of GDPR are that and that “Such penalties shall be effective, proportionate and dissuasive” “Each Member State
shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”
ELECTRONIC MARKETING
National Ordinance Personal Data Protection
N/A.
GDPR
Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.
Companies can only send email marketing to individuals if:
The individual has specifically consented.
They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.
ONLINE PRIVACY
National Ordinance Personal Data Protection
Contains no specific clauses.
GDPR
Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do
have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.
Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Curaçao 263 | | | www.dlapiperdataprotection.com
person.
If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is
processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from
others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address
etc. are not known.
KEY CONTACTS
HBN Law & Tax
hbnlawtax.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Maarten Willems
Senior Associate
HBN Law & Tax
T +297 588 6060
maarten.willems@hbnlawtax.com
Misha Bemer
Partner
HBN Law & Tax
T +297 588 6060
misha.bemer@hbnlawtax.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 264 | | | www.dlapiperdataprotection.com
CYPRUS
Last modified 21 February 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The Protection of Physical Persons Against the Processing of Personal Data and Free Movement of such Data Law
125(I)/2018, that implements certain provisions of the GDPR into local law, entered into force on July 31, 2018 (the “Law
”).
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 265 | | | www.dlapiperdataprotection.com
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The Law uses the definitions provided under the GDPR without any derogation.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The authority designated under the Law as being the local regulatory body for the purposes of the GDPR is the
Commissioner for the Protection of Personal Data in Cyprus (the “Commissioner”).
The Law affords certain powers to and imposes obligations on the Commissioner which are in addition to the GDPR,
including, inter alia, the following:
Examination of complaints and providing information to the person making the complaint within 30 days of
submission thereto.
The obligation to inform the data subject, the data controller and the processor of the deadlines indicated under
Articles 60-66 of the GDPR.
The publication of a list of processing activities requiring the appointment of a data protection officer.
To consult specialists or the police for exercising its regulatory powers under Article 58 of the GDPR.
To enter, without giving any prior notice to the data controller or the processor or their representatives, any
office, business premises or means of transport with the exception of housing premises, for inspections.
To inform the Attorney General’s Office and / or the police for breaches of the GDPR and the national law giving
rise to criminal liability.
To permit the combination of filing systems and to impose terms and conditions in relation thereto.
To impose terms and conditions to the exemption from the obligation of the data controller to notify data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 266 | | | www.dlapiperdataprotection.com
subjects for breaches of personal data as provided for in Article 23 of the GDPR.
To impose explicit restrictions on the transfer of special categories of personal data to third countries or
international organizations.
Further, the Certification Body for the purposes of Article 43 of the GDPR is the Cyprus Organisation of the Promotion
of Quality which is the national organization for accreditations in Cyprus operating under the Standardisation,
Accreditation and Technical Notification Law (L156(I)/2002).
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
There is no registration applicable with the exception of what is referred to in the immediately succeeding paragraph for
data protection officers.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 267 | | | www.dlapiperdataprotection.com
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
According to the Law, the Commissioner may draw up and make available to the public a list of the processing operations
and / or other instances which shall deem necessary the designation of a data protection officer (the “DPO”) by the data
controller and the processor. A list of names of data controllers and processors who have designated a DPO may be
published on the Commissioner’s website provided the data controller and the processor wish to be included therein.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 268 | | | www.dlapiperdataprotection.com
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their
legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 269 | | | www.dlapiperdataprotection.com
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 270 | | | www.dlapiperdataprotection.com
a.
b.
c.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Collection and procession of genetic and biometric data for the purpose of health and life insurance is prohibited.
Subject to the above, where processing of genetic and biometric data is based on consent, subsequent and separate
consents should be obtained for any further processing.
Further, according to the Law, impact assessment and prior consultation with the Commissioner are required in the
following instances:
when a combination of filing systems of public authorities or certification bodies, is conducted in relation to
special categories of personal data or data relating to criminal offences or penalties or will be carried out on the
basis of the use of an ID number or any other identifier of general application;
where, subject to the provisions of Article 23 of the GDPR, measures are taken by the data controller to restrict
the rights referred to under Article 12, 18, 19 and 20 of the GDPR;
where the data controller is exempted from the obligation to notify data subjects for breaches of personal data
for one or more of the purposes listed in Article 23(1) of the GDPR, including inter alia, national security,
defense, public security, prevention, investigation, detection or prosecution of criminal offences etc;
where national legislation or regulations issued pursuant thereto provide for a specific action or series of
processing activities; and
where special categories of personal data will be transferred in a third country or an international organization by
the controller or the processor, on the basis of a derogation for specific situations provided for under Article 49
of the GDPR.
TRANSFER
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 271 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes among others binding corporate rules and standard contractual clauses. The GDPR has removed
the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of
standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defense of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
With regards to transfer of special categories of personal data, prior to such data being transferred to a third country or
an international organization on the basis of appropriate safeguards provided for under Article 46 of the GDPR or on the
basis of binding corporate rules under Article 47 of the GDPR, the data controller or the processor needs to inform the
Commissioner of its intention in transferring the said data. The Commissioner may impose express restrictions for such
transfer.
Similarly, when special categories of personal data are to be transferred to a third country or an international organization
on the basis of a derogation for specific situations provided for under Article 49 of the GDPR, an impact assessment is
required to be carried out as well as prior consultation with the Commissioner and the Commissioner may, for important
reasons of public interest, impose express restrictions for such transfer.
In light of the Schrems II decision, the European Data Protection Board (EDPB) has issued Recommendations 01/2020 on
measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, in respect
of transfers made under the standard contractual clauses. The Commissioner directs organisations to the EDPB
Recommendations 01/2020 and urges them to follow the guidance of the EDPB.
SECURITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 272 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
There are no derogations or additional requirements introduced by the Law in relation to security.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
According to the Law, the data controller may be exempted, in whole or in part, from his obligation to notify data
subjects for breaches of personal data for one or more of the purposes listed in Article 23(1) of the GDPR, including inter
, national security, defense, public security, prevention, investigation, detection or prosecution of criminal offences etc.alia
In order for the foregoing to apply, an impact assessment and a prior consultation with the Commissioner need to be
conducted. The Commissioner may also set out specific terms and conditions for such exemption.
ENFORCEMENT
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 273 | | | www.dlapiperdataprotection.com
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 274 | | | www.dlapiperdataprotection.com
1.
2.
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
According to the Law, the Council of Ministers may, upon a recommendation of the Commissioner, issue regulatory
administrative acts (secondary legislation) in order to effectively enforce the GDPR and applicable national law.
Further, the Law provides that the Commissioner for the Protection of Personal Data shall impose administrative fines in
accordance with Article 83 of the GDPR. Further, the Law provides that an administrative fine imposed to a public
authority or body, which relates to non-profitable activities shall not exceed EUR 200,000.
The Law provides, inter alia, that breaches of, inter alia, Articles 30, 31, 33, 34, 35, 42 and of Chapter V of the GDPR, shall
constitute a criminal offence which may result in the imposition of imprisonment up to three years and / or monetary fine
up to EUR 30,000 or imprisonment up to five years and / or monetary fine up to EUR 50,000, depending on the breach.
Where the data controller or processor is a company or a group of undertakings, then the person indicated as such in its
article of association will be held liable for breaches of the GDPR and / or the national law. In case of public authorities or
bodies, the head of such authority or the person who is effectively exercising the administration of such authority will be
held liable for such breaches.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The Regulation of Electronic Communications and Postal Services Law of 2004 (112(I)/2004) as amended (the “Electronic
“) will apply to most electronic marketing activities, as there is likely to beCommunications and Postal Services Law
processing and use of personal data involved ( an email address is likely to be personal data for the purposes of the Electroniceg,
Communication and Postal Services Law).
Section 106 of the Electronic Communications and Postal Services Law states the following:
The use of automatic calling machines, fax, or electronic mail, or SMS messages, for the purposes of direct marketing, may
only be allowed in respect to subscribers or users who have given their prior consent
Unsolicited communications for the purposes of direct marketing, by means other than those referred to in (1) above, are
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 275 | | | www.dlapiperdataprotection.com
2.
3.
4.
5.
not allowed without the consent of the subscribers or users concerned
The rights referred to in (1) and (2) above shall apply to subscribers who are natural persons. The Commissioner of
Electronic Communications and Postal Regulation, may, after consultation with the Personal Data Commissioner, issue
orders to safeguard that legitimate interests of legal persons, regarding unsolicited communications, are adequately
protected. In 2005, the Commissioner of Electronic Communications and Postal Regulation issued the 2005 Order
regarding Safeguarding the Interests of Legal Persons in relation to Unsolicited Communications, by virtue of which the
protection from unsolicited communications for the purposes of direct marketing has been extended to legal persons as
well
Notwithstanding (1) above, in cases where a natural or legal person obtains from its customers contact details for
electronic mail, in the context of the sale of a product or a service, the same natural or legal person may use these
electronic details for direct marketing of its own similar products or services, provided that customers are clearly and
distinctly given the opportunity to object, free of charge and in an easy manner, to such use of their electronic contact
details when they are collected and on the occasion of each message in case the customer has not initially refused such
use, and
Electronic mail sent for direct marketing must not disguise or conceal the identity of the sender or the person on whose
behalf and / or for the benefit of the communication is made, or without a valid address to which the recipient may send a
request that such communication cease.
ONLINE PRIVACY
Part 14 of the Electronic Communications and Postal Services Law deals with the collection of location and traffic data and use of
cookies (and similar technologies) by publically available electronic communication service providers.
Traffic Data
Traffic Data concerning subscribers and users, which are submitted to processing so as to establish communications and which are
stored by persons, shall be erased or made anonymous at the end of a call, except:
for the purpose of subscriber billing and interconnection payments, and
if the subscriber or user consent that the data may be processed from a person for the purpose of commercial promotion
of the services of electronic communications of the latter or for the provision of added value services. Users or
subscribers have the possibility to withdraw their consent for the processing of Traffic Data at any time.
The prohibition of storage of communications and the related traffic data by persons other than the users or without their
consent is not intended to prohibit any automatic, intermediate and transient storage of this information. Users or subscribers
shall be given the possibility to withdraw their consent for the processing of Traffic Data at any time.
Location Data
Location Data may only be processed when made anonymous, or with the explicit consent of the users or subscribers to the
extent and for the duration necessary for the provision of a value added service.
The service provider must inform the users or subscribers, prior to obtaining their consent, of the following:
type of Location Data which will be processed
the purpose and duration of the processing, and
whether the data will be transmitted to a third party for the purpose of providing the value added service.
Users or subscribers shall be given the possibility to withdraw their consent for the processing of Location Data at any time.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Cyprus 276 | | | www.dlapiperdataprotection.com
Cookie Compliance
The storage and use of cookies and similar technologies is permitted only if the subscriber or user concerned has been provided
with clear and comprehensive information, inter alia, about the purposes of the processing, and has given his consent in
accordance with the Processing of Personal Data Law.
The above shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of
a communication over an electronic communications network, or as strictly necessary in order to provide an information society
service explicitly requested by the subscriber or user.
With regards to information society services, when such services are addressed to a child and provided to him / her on
the basis of his / her consent – such consent is valid if he / she is at least 14 years old.
KEY CONTACTS
Pamboridis LLC
www.pamboridis.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Christy Spyrou
Partner
T +357 22 752525
spyrou@pamboridis.com
https://www.dlapiperdataprotection.com
http://www.pamboridis.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Czech Republic 277 | | | www.dlapiperdataprotection.com
CZECH REPUBLIC
Last modified 21 February 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The new Czech Act No. 110/2019 Coll., on Personal Data Processing, being the Czech GDPR implementation law, finally
came into effect on 24th April 2019. This statute fully replaced the older Personal Data Protection Law (Act No.
101/2000 Coll., as amended) and regulates personal data processing within the scope of Regulation (EU) 2016/679 and
then processing of this data by competent authorities for preventing, searching for and detecting criminal activity, ensuring
safety and public order etc.
It also regulates jurisdiction of the Office for personal data protection and personal data processing at time of ensuring
defense and security of the Czech Republic.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Czech Republic 278 | | | www.dlapiperdataprotection.com
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (i.e.lead supervisory authority
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The Czech Republic is supervised by the Office for Personal Data Protection (UOOU).
UOOU is the central administrative authority for the protection of personal data, which is in Czech Republic governed by
Regulation (EU) 2016/679 and the Act No. 110/2019 Coll.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Czech Republic 279 | | | www.dlapiperdataprotection.com
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organisations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping,demonstrate
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Czech Republic 280 | | | www.dlapiperdataprotection.com
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorised by Member State domestic law (Article 10).
Processing for a Secondary Purpose
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Czech Republic 281 | | | www.dlapiperdataprotection.com
Increasingly, organisations wish to ‘re-purpose’ personal data – i.e. use data collected for one purpose for a new purpose which
was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle
of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Czech Republic 282 | | | www.dlapiperdataprotection.com
a.
b.
c.
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorised by EU or Member State law; or
the data subject has given their explicit (i.e. opt-in) consent.
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Czech Republic 283 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
a.
b.
c.
d.
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay, Japan and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules and standard contractual clauses. The GDPR has removed
the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of
standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Czech Republic 284 | | | www.dlapiperdataprotection.com
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Czech Republic 285 | | | www.dlapiperdataprotection.com
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon,
the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
When dealing with e-marketing, it is necessary to bear in mind that it is quite strictly regulated in terms of Act No. 480/2004 Col.
on Certain Services of Information Society (“CSIS”) as well as other previously mentioned regulations (esp. the Data Protection
Directive and the Act) and partially also by the Act No. 127/2005 Coll., on electronic communications (“AOC”), being further
described in the Online Privacy section.
CSIS states that before sending an e-mail containing marketing information, the consent of the receiver must be obtained (so
called “opt-in” principle). In some cases, such as e-marketing sent to existing customers of the sender, the consent of the
customer is implied until it is withdrawn (so called “opt-out” principle). Furthermore, each such message must contain clear and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Czech Republic 286 | | | www.dlapiperdataprotection.com
visible information that any further sending of such e-mails can be rejected by the receiver together with the sender’s contact
information and information on whose behalf the e-mail is being sent. Last but not least, each such e-mail must be clearly tagged as
a commercial message.
In order to maintain e-marketing as an effective tool, its sender should operate with good-quality databases, which enable a direct
targeting of the relevant message. The sender should ensure, in particular, that (i) he will duly obtain the right to use the database
for e-marketing purposes and also that (ii) personal data in the database were lawfully obtained and can be lawfully disposed of by
the database owner.
When processing personal data for marketing databases, it is necessary to abide strictly by the Act. All rules described above apply
to e-marketing respectively.
ONLINE PRIVACY
Online privacy is also supervised by the Office. Handling personal data is subject to the similar rules as mentioned above and
specific issues are governed by Act No. 127/2005 Coll. on Electronic Communications (‘AEC’).
Consent to collection and processing of personal data may be expressed by electronic means, especially by filling in an electronic
form.
Public electronic communication service providers are obliged to ensure the security of the personal data they process which
includes technical security and creation of internal organisational regulations.
In cases of a personal data breach a public electronic communication service provider is obliged to notify the Office “without
necessary delay”, and in the event that the breach of protection could very significantly affect the privacy of a certain individual,
such person must be notified as well.
Apart from a few exceptions, traffic data held by a public electronic communication service provider must be erased or
anonymised when it is no longer necessary for the transmission of a communication.
As regards cookies, the Czech law is still using the ‘opt-out’ principle because the user must be informed and explicitly allowed to
refuse the cookies storage (no prior consent required). The ‘opt-in’ principle as introduced by the Directive 2009/136/EC has not
been implemented into Czech law, although many state authorities, including the Office, publicly declared the opposite.
Nevertheless, due to the above-mentioned ambiguity, we cannot exclude the risk that the Office will require the prior consent to
be given by visitors of the relevant web-site according to the generally applicable obligation under the Act, if the relevant cookie is
able to identify the specific user.
Relevant supervising and enforcing authorities in this area are primarily the Office and to some extent also the Czech
Telecommunication Office.
It is likely that an amendment to the Czech Electronic Communications Act will be effective as of 1 January 2022, which
should bring a change from an opt-out to an opt-in regime. Thus, the use of cookies on a website should only be
permitted if the visitor has given his or her demonstrable active consent to the scope and purpose of the processing.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Czech Republic 287 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Jan Rataj
Senior Associate
T +420 222 817 800
jan.rataj@dlapiper.com
Jan Metelka
Associate
T +420 222 817 825
jan.metelka@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Democratic Republic of Congo 288 | | | www.dlapiperdataprotection.com
DEMOCRATIC REPUBLIC OF CONGO
Last modified 21 February 2022
LAW
The protection of personal data is included in the law on telecommunications, information and communication technology N°
20/017 of 25 November 2020 and published in the official journal on 22 September 2021 (the ” “). The Law entered into forceLaw
on the date of its approval (25 November 2020).
The Ministerial Decree which should regulate the more practical details of the law has not yet been issued.
DEFINITIONS
Definition of Personal Data
Personal data: any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an
identification number or to one or more factors specific to his/her physical, physiological, genetic, mental, cultural, social or
economic identity (Article 4, 37).
Definition of Sensitive Personal Data
There is no separate definition of sensitive data, but the Law prohibits the collection of certain data which can be considered as
sensitive:
The collection and processing of personal data revealing racial, ethnic or regional origin, parentage, political opinions,
religious or philosophical beliefs, trade union membership, sex life, genetic data or, more generally, data relating to the
state of health of the person concerned, are prohibited.
NATIONAL DATA PROTECTION AUTHORITY
ARPTC ( ) or the authority for the regulation of postal andAutorité de Régulation de la Poste et des Télécommunications du Congo
telecommunication services).
REGISTRATION
Not yet determined.
DATA PROTECTION OFFICERS
Not applicable.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Democratic Republic of Congo 289 | | | www.dlapiperdataprotection.com
COLLECTION & PROCESSING
The collection and processing of personal data can only be carried out with the prior and explicit consent of the person
concerned or on the request of the public prosecutor’s office.
TRANSFER
Explicit and prior consent of the person is required.
SECURITY
Not applicable.
BREACH NOTIFICATION
Not applicable.
ENFORCEMENT
No known cases as the Law is relatively new.
Criminal sanctions apply as well as a fine ranging from USD 25,000 to 50,000 for the entity employing a person who breached data
protection laws.
ELECTRONIC MARKETING
Not applicable.
ONLINE PRIVACY
Not applicable.
KEY CONTACTS
PKM Africa
www.lawpkm.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Sophie Kabano Niwese
Partner
PKM Africa
T +32 476 080 079
sophie.kabano@lawpkm.com
Mark Verelst
Senior Legal Expert
PKM Africa
T +32 495 79 05 69
mark.verelst@lawpkm.com
https://www.dlapiperdataprotection.com
https://www.lawpkm.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Democratic Republic of Congo 290 | | | www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 291 | | | www.dlapiperdataprotection.com
DENMARK
Last modified 10 January 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
To implement the GDPR, the Danish Parliament enacted the Danish Act on Data Protection (the ‘Danish Data Protection
Act’) on May 17, 2018, enforceable on May 25, 2018 and replacing the previous Danish Act on Processing of Personal
Data (Act no. 429 of 31/05/2000). Hence, data protection and processing in Denmark is now regulated by the GDPR as
supplemented by the Danish Data Protection Act.
The Danish Data Protection Act does not apply to Greenland and the Faroe Islands.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 292 | | | www.dlapiperdataprotection.com
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The definitions used in the Danish Data Protection Act correspond to the definitions as set out in the GDPR.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
Datatilsynet
Carl Jacobsens Vej 35
2500 Valby
T +45 33 19 32 00
dt@datatilsynet.dk
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 293 | | | www.dlapiperdataprotection.com
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
In Denmark, the following types of processing require the DPA’s preapproval:
private data controllers’ processing of personal data revealing racial or ethnic origin, political opinions, religious or
philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for uniquely
identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual
orientation (‘Special Categories of Personal Data’), solely in the public’s interest
disclosure of personal data as mentioned in Articles 9(1) and 10 of the GDPR, originally processed for the sole
purpose of carrying out scientific or statistic studies, if i) such data is to be processed outside the geographical
scope of the GDPR, ii) the data constitutes biological material or iii) if the data is to be published in a recognised
scientific journal or similar
processing personal data in a register on behalf of a private data controller:
solely for the purpose of warning other businesses from engaging in business with or employing a natural
person
with the intention of commercial exploitation of data on the natural person’s creditworthiness and
financial solidity, or
for the creation of a register on judicial information
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 294 | | | www.dlapiperdataprotection.com
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
Under the Regulation, organizations shall designate a data protection officer (‘DPO’) in any case where:
the processing is carried out by a public authority or body, except for courts acting in their judicial capacity
the core activities of the data controller or the processor consist of processing operations which, by their nature,
their scope and / or their purposes, require regular and systematic monitoring of data subjects on a large scale, or
the core activities of the controller or the processor consist of processing on a large scale of Special Categories
of Personal Data and personal data relating to criminal convictions and offences
The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection
law and practices and the ability to fulfill the tasks referred to in the GDPR.
Under the Danish Data Protection Act, the DPO is subject to a duty of secrecy and is prohibited from wrongful disclosure
or use of any personal data processed in their capacity of being DPO.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 295 | | | www.dlapiperdataprotection.com
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their
legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 296 | | | www.dlapiperdataprotection.com
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 297 | | | www.dlapiperdataprotection.com
a.
b.
c.
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where:affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The GDPR differentiates between 1) Personal data, 2) Special Categories of Personal Data, 3) Data on criminal offences
and 4) National identification numbers (CPR numbers). See below.
1. Personal data
Under the GDPR, data controllers may legally register and process personal data (all data except the Special Categories of
Personal Data, Data on criminal offences and national identification numbers) only when at least one of the following
conditions is met:
the data subject has given his explicit consent in accordance with article 7 and 8 (children’s consent) of the GDPR
processing is necessary for the performance of a contract to which the data subject is party or in order to take
steps at the request of the data subject prior to entering into a contract
processing is necessary for compliance with a legal obligation to which the controller is subject
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 298 | | | www.dlapiperdataprotection.com
processing is necessary in order to protect the vital interests of the data subject or any other natural person
processing is necessary for the performance of a task carried out in the public interest or for the performance of
a task carried out in the exercise of official authority vested in the data controller, or
processing is necessary for the purposes of the legitimate interests pursued by the data controller or by the
third-party to whom the data is disclosed, unless these interests are overridden by either the data subject’s
fundamental rights including its civil rights or other interests of the data subject
2. Special Categories of Personal Data
Special Categories of Personal Data (as detailed under ‘Registration’) may be processed only when at least one of the
following conditions is met:
the data subject has given his explicit consent to the processing of such data for one or several purposes
processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data
controller or of the data subject in the field of employment law
processing is necessary to protect the vital interests of the data subject or of another natural person where the
person concerned is physically or legally incapable of giving his or her consent
processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation,
association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on
condition that the processing relates solely to the members or to former members of the body or to persons
who have regular contact with it in connection with its purposes and that the personal data are not disclosed
outside that body without the consent of the data subjects
processing relates to personal data which are manifestly made public by the data subject
processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in
their judicial capacity
the processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or
treatment, or the management of medical and health care services, and where those data are processed by a
health professional subject under law to the obligation of professional secrecy
processing is necessary for reasons of substantial public interest. The DPA must approve the processing unless
such is carried out by a public organization.
Personal data and Special Categories of Personal Data may be processed, if such process is carried out in relation to the
data subject’s employment at the data controller, if such process is necessary for the data controller to comply with
employment-related obligations or rights under applicable law or collective agreements, or if the process is necessary for
the data controller or third-party’s possibility to pursue legitimate interests originating from other legislation or collective
agreements as long as the civil rights and interests of the data subject precedes.
Furthermore, personal data may be processed where the processing takes place for the sole purpose of carrying out
statistical or scientific studies of significant importance to society and where such processing is necessary in order to carry
out these studies. Sharing of personal data for such purposes will, however, be subject to the conditions set forth in the
Danish Ministerial Order no. 1509 of 18 December 2019, according to which personal data shared for the purpose of
carrying out statistical or scientific studies must, amongst other, be pseudonymised before sharing, unless direct
identifications is strictly necessary.
3. Data relating to criminal convictions and offences
Data relating to criminal convictions and offences may be processed by public data controllers only if the processing is
strictly necessary for the performance of regulatory and public tasks. No such data can, however, be disclosed, unless at
least any of the following conditions are met:
the data subject has given explicit consent to such disclosure
disclosure takes place for the purpose of safeguarding private or public interests which clearly override the
interests of secrecy, including the interests of the person to whom the data relate
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 299 | | | www.dlapiperdataprotection.com
disclosure is necessary for the performance of the activities of an authority or required for a decision to be made
by that authority; or
disclosure is necessary for the performance of tasks for a public authority by a person or an enterprise
Private data controllers may process data relating to criminal convictions and offences, if the data subject in question has
given his or her explicit consent in accordance with article 7 of the GDPR, or if the processing is strictly necessary to
carry out interests significantly exceeding the interests of the data subject. None of the data may be disclosed without the
explicit consent of the data subject, unless such disclosure takes place for the purpose of safeguarding public or private
interests, including the interests of the person concerned, which clearly override the interests of secrecy.
Both public and private actors may process data relating to criminal convictions and offences if at least one the following
conditions is met:
processing is necessary for the purpose of carrying out the obligations and exercising specific rights of the data
controller or of the data subject in the field of employment law
processing is necessary to protect the vital interests of the data subject or of another natural person where the
person concerned is physically or legally incapable of giving his or her consent
processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation,
association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on
condition that the processing relates solely to the members or to former members of the body or to persons
who have regular contact with it in connection with its purposes and that the personal data are not disclosed
outside that body without the consent of the data subjects
processing relates to personal data which are manifestly made public by the data subject
processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in
their judicial capacity
the processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or
treatment, or the management of medical and health care services, and where those data are processed by a
health professional subject under law to the obligation of professional secrecy, or
processing is necessary for reasons of substantial public interest. The DPA must approve the processing unless
such is carried out by the public organization.
4. National identification numbers
National identification numbers (in Danish ‘ .’) may be processed by public organizations for the purpose ofCPR-nummer
identification or as reference number.
Private data controllers may process when at least one of the following conditions are met:CPR-nummer
the process is required under statutory law
the data subject concerned has given his or her explicit consent in accordance with article 7 of the GDPR
the processing is carried out for scientific or statistic purposes (however not for publication which requires a
specific consent)
the CPR-nummer disclosed as part of the company’s natural operations and such disclosure is of significant
importance to the company to ensure identification of the data subject in question or requested by a public
authority
processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data
controller or of the data subject in the field of employment law
processing is necessary to protect the vital interests of the data subject or of another natural person where the
person concerned is physically or legally incapable of giving his or her consent
processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation,
association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 300 | | | www.dlapiperdataprotection.com
a.
condition that the processing relates solely to the members or to former members of the body or to persons
who have regular contact with it in connection with its purposes and that the personal data are not disclosed
outside that body without the consent of the data subjects
processing relates to personal data which are manifestly made public by the data subject
processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in
their judicial capacity
the processing is necessary for the purposes of preventive medicine, medical diagnosis, the provision of care or
treatment, or the management of medical and health care services, and where those data are processed by a
health professional subject under law to the obligation of professional secrecy, or
processing is necessary for reasons of substantial public interest. The DPA must approve the processing unless it
is carried out by a public data controller
5. Transparency requirements
The data controller must, at the time when personal data are obtained (no later than within one month after), provide the
data subject with the necessary information to fulfil the duty of information, including information about:
the identity of the data controller, his representative and the DPO (if applicable)
the contact details of the data controller/the representative
the categories of data concerned
the purposes of the processing for which the data is intended as well as the legal basis for the processing
the legitimate interests pursued by the data controller, where the processing is based on article 6(1)(f) of GDPR
the recipients or categories of recipients of the personal data, (if any)
(where applicable), information of transfer of data to third countries or international organizations or the
intention hereof, as well as reference to the appropriate and suitable safeguards in connection with such transfers
The period for which the data will be stored
The data subject’s right to withdraw a consent at any time
The data subject’s rights, including to lodge a complaint, deletion, insight and correction
From which source the personal data originate (if applicable), and whether it came from publicly accessible
sources (if applicable)
The existence of automated decision making (if applicable)
Under the Danish Data Protection Act the above-mentioned obligation does not apply if interests of the public, other
people, or the data subject itself, exceeds the data subject’s interest in obtaining the information.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 301 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
The Danish Data Protection Act does not regulate transfer of personal data. Thus, the article of the GDPR applies, under
which data controllers may transfer all types of personal data to a third country or an international organization out of the
EU/EEA if any of the following conditions are met:
the EU Commission has established that the third-country/area or one or more specific sectors in the third
country, or the international organization has adequate safeguards with respect to the protection of the rights of
the data subject
the controller or processor has provided appropriate safeguards, on the condition that enforceable data subject
rights and effective legal remedies for data subjects are available (such as through binding corporate rules –
approved by the DPA)
the data controller or data processor and the international organization enter into the standard terms approved
by the EU Commission
If no approval has been obtained on the third country’s adequate safeguards and no appropriate safeguards have been
provided including binding corporate rules, personal data can be transferred to a third country or an international
organization if one of the following criteria are met:
the data subject has given his explicit consent
the transfer is necessary for the performance of a contract between the data subject and the controller or the
implementation of pre-contractual measures taken in response to the data subject’s request
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data
subject between the controller and a third party
the transfer is necessary or legally required on important public interest grounds
the transfer is necessary for the establishment, exercise or defence of legal claims
the transfer is necessary in order to protect the vital interests of the data subject or other natural person, where
the person concerned is physically or legally incapable of giving his or her consent
the transfer is made from a register which according to law or regulations is open to consultation either by the
public in general or by any person who can demonstrate legitimate interests, to the extent that the conditions laid
down in law for consultation are fulfilled in the particular case
SECURITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 302 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
The Danish Data Protection Act does not set out provisions on security requirements. Thus, the articles of the GDPR
apply, under which data controllers and data processors must implement appropriate technical and organizational security
measures necessary to protect data against accidental or unlawful destruction, loss or alteration and against unauthorized
disclosure, abuse or other processing in violation of the provisions laid down in the Danish Data Protection Act.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The Danish Data Protection Act does not set out provisions on notification in case of security breach. Thus, the articles
of the GDPR apply, under which the data must notify the DPA no later than 72 hours after becoming aware of the
security breach.
Breaches can be reported to the Danish Data Protection Agency by filling out a form on the Danish Business Authority’s
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 303 | | | www.dlapiperdataprotection.com
website.
Further, if the security breach is likely to expose the data subject to risk related to its rights and civil rights, the data
controller shall notify the data subject without unnecessary delay.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 304 | | | www.dlapiperdataprotection.com
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
The DPA is responsible for the supervision of all processing operations covered by the Danish Data Protection Act.
The DPA can request any information provided necessary for the DPA’s operations including decision-making on whether
the Danish Data Protection Act and the GDPR apply or not.
The DPA and its personnel can without a court order request access to premises from which processing of personal data
is performed.
The DPA’s decisions are final and not subject to recourse.
The DPA may investigate data processing occurring in Denmark and the legality thereof, despite the processing being
subject to foreign law.
The DPA may publish its findings and decisions.
Any person suffering material or nonmaterial damage due to non-legal data processing can claim damages.
Unless a higher penalty is impeded, processing deemed unlawful under the Danish Data Protection Act, is sanctioned with
a fine or prison for up to six months.
In general, the GDPR aims to sanction with fines which are effective, reasonable and have preventive effect. More specific,
certain violations can be sanctioned with a fine of a maximum of EUR 10,000,000 or 2% of the total annual turnover (if a
company). Other types of violations can be sanctioned with a fine of a maximum of EUR 20,000,000 or 4% of the total
annual turnover (if a company).
The statute of limitation period is five years.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 305 | | | www.dlapiperdataprotection.com
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
In general, unsolicited electronic marketing requires prior opt-in consent. The opt-in requirement is waived under the ‘same
service / product’ exemption. The exemption concerns marketing emails related to the same products / services as previously
purchased from the sender by the user provided that:
the user has been informed of the right to opt out prior to the first marketing email
the user did not opt out, and
the user is informed of the right to opt out of any marketing email received. The exemption applies to electronic
communication such as electronic text messages and email but does not apply with respect to communications sent by
fax.
Direct marketing emails must not disguise or conceal the identity of the sender.
The GDPR applies to electronic marketing activities involving usage of personal data ( an email address which includeseg,
the recipient’s name).
Under the GDPR companies are prohibited from disclosing personal data to another company for direct marketing
purposes or use the data on behalf of a company for marketing purposes, unless the data subject has given his or her
explicit consent. In this regard, the strict standard for consent under the GDPR must be noted, and marketing consent
forms must include a clearly worded opt-in mechanism (such as a ticking of an unticked consent box, or the signing of a
statement, and not merely an acceptance of terms and conditions, or consent implied from conduct, such as visiting a
website).
General customer information (general information forming the basis for customer classification) may, however, be
disclosed and processed without the data subject’s consent, if such is necessary for the purposes of legitimate interests
pursued by the company and these interests are not overridden by the interests of the consumer. However, Special
Categories of Personal Data and CPR-numbers can only be processed for marketing purposes by the consent of the data
subject.
The company disclosing the personal data or processing the personal data on behalf of a company for marketing purposes,
must prior hereto ensure that the data subject has not declined receiving marketing material by registering as such in the
Danish Central Office of Personal Registration.
Particularly for controllers selling catalogs of data on natural persons or addressing these natural persons on behalf of a
company it applies that only the natural person’s name, work position, address, occupation, email, phone- and fax number
and business information published in business registers can be processed. Any other kind of data can only be processed, if
the data subject has consented thereto.
Further, specific rules on electronic marketing (including circumstances in which consent must be obtained) are regulated
in Directive 2009/136/EC (the ePrivacy Directive), as transposed into the local laws of each Member State. In Denmark,
the ePrivacy Directive has among other things been implemented in the Danish Marketing Practices Act.
Under the Danish Marketing Practices Act, a trader must not approach anyone by means of electronic mail, an automated
calling system or a facsimile machine (fax) for the purposes of direct marketing unless the natural person concerned has
given his prior consent. The trader must allow free and easy revocation of the consent.
Notwithstanding the above, a trader that has received a customer’s electronic contact details in connection with the sale
of products may market similar products to that customer by electronic mail, provided that the trader has clearly and
distinctly given the customer the opportunity, free of charge and in an easy manner, of declining this both when giving his
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 306 | | | www.dlapiperdataprotection.com
contact details to the trader and in all subsequent communications.
The ePrivacy Directive is to be replaced by the ePrivacy Regulation, a change which was forecast for spring 2018,
however, now postponed indefinitely. From the wording of the latest draft, we can expect a significant toughening of the
online and direct marketing landscape and, predictably, a convergence with the provisions in the GDPR.
ONLINE PRIVACY
Traffic data
Traffic data qualifies as personal data. Providers of telecommunication services may collect and use the following traffic data to the
following extent:
the number or other identification of the lines in question or of the terminal
authorization codes, additionally the card number when customer cards are used
location data when mobile handsets are used
the beginning and end of the connection, indicated by date and time and, where relevant to the charges, the volume of
data transmitted
the telecommunications service used by the user
the termination points of fixed connections, the beginning and end of their use, indicated by date and time and, where
relevant to the charges, the volume of data transmitted, and
any other traffic data required for setup and maintenance of the telecommunications connection and for billing purposes.
Stored traffic data may be used after the termination of a connection only where required to set up a further connection, for
billing purposes or where the user has requested a connection overview.
The service provider may collect and use the customer data and traffic data of subscribers and users in order to detect, locate and
eliminate faults and malfunctions in telecommunications systems. This applies also to faults that can lead to a limitation of
availability of information and communications systems or that can lead to an unauthorized access of telecommunications and data
processing systems of the users.
Otherwise, traffic data must be erased by the service provider without undue delay following termination of the connection.
Service providers have to inform the users immediately, if any faults of data procession systems of the users become known.
Furthermore the service provider has to inform the users about measures for detecting and rectifying faults.
Location Data
Location Data qualifies as personal data. This data may only be processed as required for the provision of requested services and
is subject to prior information of the user. For all other purposes, the user’s informed consent must be obtained. According to
Section 4a BDSG, 13 German Telemedia Act (TMG) this means that:
the user’s consent must be intentional, informed and clear. For this purpose the user must be informed on the type, the
scope, the location and the purpose of data collection, processing and use including any forwarding of data to third parties
the user’s consent must be recorded properly
the user must be able to access the content of his consent declaration any time. It is sufficient that such information is
provided upon the user’s request
the user’s consent must be revocable at all times with effect for the future.
Users must always be informed of the use of cookies in a privacy notice. Cookies may generally be used if they are required in
order to perform the services requested by the user. Otherwise, users must be provided with an opt-out mechanism. For this
purpose, information on the use of cookies together with a link on how to adjust browser settings in order to prevent future use
is sufficient.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 307 | | | www.dlapiperdataprotection.com
Germany has not yet taken any measures to implement the e-privacy directive. However, in February 2014 the German Federal
Ministry of Economic declared that the European Commission considers the Cookie Directive as implemented in Germany.
However, since the European Commission´s exact interpretation is not known, a final official clarification is awaited. It therefore
remains to be seen whether an active opt-in, by clicking on a pop-up screen will be required in the future.eg,
Different rules apply in the case of tracking technologies which collect and store a user’s IP address. Since IP addresses qualify as
personal data, their processing for tracking and marketing services requires active opt-in consent.
Directive 2009/136/EC (the ePrivacy Directive) was among other things also implemented in the Danish Act on Electronic
Communications Services and Networks which came into force on May 25, 2011 in accordance with the implementation
deadline in the Directive. In accordance with this act, the Danish Parliament adopted the Danish Executive Order on
Electronic Communications Services and Networks which came into force on May 25, 2018 (the ‘Cookie Order’).
The Cookie Order should be read in the light of GDPR, where the rules regulate collection of data in a broader sense,
not considering whether such information may be used to identify a natural person.
Under the “Cookie Order” the use of cookies requires a consent. The consent must be freely given and specific.
However, this does not imply that consent must be obtained each time a cookie is used but a user must be given an
option. Furthermore, the consent must be informed which implies that a user must receive information about the
consequences of consenting. To meet the information requirement, one must:
Provide the information in a clear and explicit language, that is easy to understand or a similar imagery that is easy
to understand, e.g. pictograms
Explain the purpose of using cookies
Tell the users who is behind the cookies used – this may be the website owner or a third party
Inform the user how to give consent or reject the use of cookies
Explain how the user can withdraw his or her consent
State the duration of the cookies (expiry date)
Finally, the consent must be a clear indication of the user’s wishes, which entails meeting the following requirements:
The user must be able to consent or refuse to consent to the use of cookies
The user must be able to withdraw a previously given consent
The user should easily be able to find further information about the use of cookies on the website
The consent must be linked to the purpose for which the data collection is to be used
Previously, the use of a homepage after having received relevant information could (to some extent) considered to be a
valid consent in Denmark. This is no longer the case and now a more explicit consent is required (e.g. the clicking of an
“accept” button).
The ePrivacy Directive is to be replaced by the ePrivacy Regulation, a change which was forecast for spring 2018,
however, now postponed indefinitely and the timeframe for changes to abovementioned rules are thus currently
unknown.
From the wording of the latest draft, however, it is unsurprisingly safe to say that the definition of consent used in the
GDPR is carried on and is to be read across into the draft e-Privacy Regulation text. Further, the draft also introduces
significant practical changes, so that obtaining consent will require much more effort. Technology providers are required
to include default settings which must all be set to preclude third parties from storing information on, or using information
about, an end-user’s device. So, browsers would have to be pre-configured so that cookies used for frequency capping of
ads or ad-serving would be blocked by default unless a user opts to enable them.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Denmark 308 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Marlene Winther Plas
Partner
T +45 33 34 00 47
marlene.plas@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Dominican Republic 309 | | | www.dlapiperdataprotection.com
DOMINICAN REPUBLIC
Last modified 24 January 2022
LAW
Section 44 of the Dominican Constitution recognizes citizens’ right to access their personal data stored in public or private
databases, as well as their right to information concerning the purpose and use of the same.
The Constitution also establishes that the processing of personal data must be carried out in accordance to the principles of:
Reliability
Legality
Integrity
Security, and
Purpose of the information
The collection, storage and safekeeping of personal data, as well as usage and access rights concerning such personal data, are
governed by the provisions of Law No. 172-13 on the Protection of Personal Data enacted December 13, 2013 (DPL).
In addition to setting forth the legal regime for the protection of personal data, the DPL establishes regulations governing the
constitution and operation of credit bureaus.
For the purposes of the DPL, the term ‘ ‘ refers to companies dedicated to collecting, organizing, storing, conserving,credit bureau
providing, transferring or transmitting data regarding consumers (including goods and services related to the same), as well as any
other information provided by the Superintendent of Banks.
DEFINITIONS
Definition of personal data
Personal data consists of any information, whether numerical, alphabetical, graphic, photographic, or acoustic, or any other type of
data which concerns individuals that are identified or identifiable.
Definition of sensitive personal data
The term ‘sensitive data’ refers to personal data that reveals its subject´s:
Political opinions
Religious, philosophical or moral convictions
Affiliation to labor unions, and
Information concerning health or sex life
Personal data concerning the health of an individual encompasses any information concerning their past, present or future physical
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Dominican Republic 310 | | | www.dlapiperdataprotection.com
or mental health.
NATIONAL DATA PROTECTION AUTHORITY
The Dominican Republic does not have a national data protection authority.
Section 29 of the DPL establishes that databases and registries, whether public or private, intended to provide credit reports (ie
credit bureaus) are subject to the inspection and supervision of the Superintendent of Banks.
REGISTRATION
Except for credit bureaus, the Dominican Republic does not maintain a registration of personal data controllers or databases, nor
of companies that carry out the processing of personal data.
DATA PROTECTION OFFICERS
There is no requirement to appoint a data protection officer under the DPL.
COLLECTION & PROCESSING
The general rule for the treatment of personal data under the DPL is the consent requirement. Consent is valid when there is a
manifestation of free will, in an unequivocal, specific and informed manner, whereby the data subject consents to the treatment of
personal data concerning him or her.
The DPL provides that the treatment and transfer of personal data is illegal when the data has not consented to such usage, unless
an exception is provided by law.
For purposes of the foregoing, the DPL defines treatment as operations and procedures (electronic or otherwise), that allow for
the:
Collection
Storage
Organization
Modification
Evaluation
Destruction
In general, the processing of personal data, or
Its transfer to third parties via communications, interconnections or transfers
Exceptions to the consent requirement include, among others:
When the data is obtained from a public source
When the data is obtained for the exercise of public duties or pursuant to a legal obligation to do so
When the data is obtained for marketing purposes and is limited to certain basic information ( , name, ID, passport, taxeg
ID)
The data derives from a commercial, employment or contractual relationship, or from a professional or scientific
relationship with the data subject, and is necessary for its development or compliance
TRANSFER
Transfer is considered a form of ‘treatment’ of personal data under the DPL; hence, the rules apply, including consent
requirements. Additional restrictions are provided under the DPL for international data transfers.
Personal data may only be transferred internationally if the owner of the data expressly authorizes such transfer, or if such
transfer is necessary for the performance of a contract between the owner of the data and the person or entity responsible for
the treatment of the personal data.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Dominican Republic 311 | | | www.dlapiperdataprotection.com
SECURITY
The controller and, if applicable, the processor, is required to adopt and implement the necessary technical, organizational and
security measures to safeguard personal data and avoid its:
Alteration
Loss
Treatment
Consultation, or
Unauthorized access
The DPL prohibits the storage of personal data in files, records or databases that do not meet the necessary technical conditions
for guaranteeing their integrity and security. Additionally, credit bureaus and users or subscribers shall take the necessary
measures to prevent the alteration, loss or unauthorized access to personal data.
BREACH NOTIFICATION
There is no obligation to notify a breach.
ENFORCEMENT
Data subjects have the right to institute proceedings to obtain information about the data held that refers to thehabeas data
relevant data subject.
The DPL expressly recognizes the right of data subjects to recover damages for violations of their right to privacy and the integrity
of their personal data. Additionally, the DPL provides criminal sanctions (including fines and imprisonment ranging from six months
to two years) which may result from violating the DPL.
Law No. 310-14 Which Prohibits the Sending of Commercial Unsolicited Messages (SPAM), enacted on August 8, 2014 (‘SPAM
Law No. 310- 14’,) also provides criminal sanctions for fraudulently obtaining personal data from public websites for commercial
purposes (including imprisonment ranging from six months to five years, and fines from 1 to 200 times the minimum wage).
ELECTRONIC MARKETING
Sending commercial or promotional communications via electronic mail is regulated by SPAM Law 310-14. Law 310-14 requires
the consent of the recipient in order to deliver commercial communications, unless an exception to said consent requirement is
expressly provided by law.
Law 310-14 provides that:
The word ‘Publicity’ ( ) must be included in the subject field of the emailPublicidad
Commercial communications must include an email address or other similar mechanism which allows the recipient to
send a message indicating their desire to stop receiving such communications (opt-out)
ONLINE PRIVACY
The Dominican Republic has not enacted specific legislation governing online privacy or the use of ‘cookies’, although the
provisions of the DPL concerning data protection would apply.
Additionally, the unauthorized use of ‘cookies’ could implicate computer misuse laws prohibiting unauthorized access to
computers and information therein, particularly those contained in Law No. 53-07 on high-tech crimes and felonies.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Dominican Republic 312 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Mary Fernandez
Founding Partner
Headrick
T +809 473 4500
mfernandez@headrick.com.do
Fernando J. Marranzini
Partner
Headrick
T +809 473 4500
fmarranzini@headrick.com.do
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ecuador 313 | | | www.dlapiperdataprotection.com
ECUADOR
Last modified 15 December 2021
LAW
Constitution
The Constitution of Ecuador in its article 66, referring to the personal freedom rights of individuals in the Ecuadorian territory,
the State recognizes and guarantees in section 19: “The right to the protection of personal data, which includes the access and decision
on information and data of this nature, as well as its corresponding protection. The collection, filing, processing, distribution or dissemination
of such data or information shall require the authorization of the owner or the mandate of the law.”
Article 92 gives the right to every person to be informed of and have access to information, documents, genetic data, personal
data banks or files and reports on him/herself and his/her assets, contained in files and/or databases of public or private entities, in
material and/or electronic support. The interested individual has the right to be informed of the use, purpose, origin and
destination of his personal data and the time of permanence of the file of the same.
The responsible parties of the personal data banks or files may disseminate the information filed with the authorization of its
owner, before which the owner of the personal data may request from the responsible party access to the file free of charge, as
well as the updating, rectification, deletion or cancellation of his personal data.
In the case of sensitive data, the collection and storage must be authorized by law or by the owner. The adoption of the necessary
security measures will be required. If the request is not complied with, the affected individual may appeal to the judge and may sue
for the damages caused.
Personal Data Protection Organic Law
Since May 26, 2021, Ecuador adopted the Personal Data Protection Organic Law, whose main purpose is to guarantee the right to
the protection of personal data, that includes the access and decision on information and personal data, as well as its
corresponding protection. The law mainly refers to the conditions that must be verified for the legitimate treatment of personal
data. It also refers to the ways through which the owner of the personal data may express his or her consent to the processing of
his or her data.
DEFINITIONS
Definition of Personal Data
The Ecuadorian data protection regime distinguishes between personal data and a sub-category of sensitive personal data,
depending on the information and the harmful effects caused by its unlawful use.
Article 4 of the Organic Law on Personal Data Protection defines personal information as the information that identifies or makes
identifiable a specific individual, directly or indirectly.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ecuador 314 | | | www.dlapiperdataprotection.com
Definition of Sensitive Personal Data
Article 4 of the Organic Law on Personal Data Protection defines sensitive personal data as information related to: ethnicity,
gender identity, cultural identity, religion, ideology, political affiliation, judicial background, immigration status, sexual orientation,
health, biometric data, genetic data and those whose improper processing may give rise to discrimination, infringe or may infringe
fundamental rights and freedoms.
In application of article 26 of the Organic Law for the Protection of Personal Data, the processing of sensitive personal data is
prohibited unless one of the following circumstances applies:
The owner has given his explicit consent to the processing of his personal data, clearly specifying its purposes.
The processing is necessary for the fulfilment of obligations and the exercise of specific rights of the controller or the
holder in the field of labor law and social security and protection.
The processing is necessary to protect the vital interests of the data owner or another individual, in the event that the
data owner is physically or legally incapable of giving his/her consent.
The processing relates to personal data which the data owner has manifestly made public.
The processing is carried out by order of a judicial authority.
The processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes, which must be proportionate to the aim pursued, respect in substance the right to data protection
and provide for adequate and specific measures to protect the interests and fundamental rights of the owner.
When the processing of health data is subject to the provisions contained in this Law.
NATIONAL DATA PROTECTION AUTHORITY
Pursuant to the provisions of Articles 76 and 77 of the Organic Law for the Protection of Personal Data, the Authority for the
Protection of Personal Data will be the Superintendence of Data Protection, which once constituted will act as the control and
surveillance body in charge of guaranteeing all citizens the protection of their personal data, and of carrying out all necessary
actions to ensure that the principles, rights, guarantees and procedures provided for in the Law and its implementing regulations
are respected.
REGISTRATION
Article 51 of the Organic Law for the Protection of Personal Data creates the National Registry for the Protection of Personal
Data, a registry that will be under the responsibility and custody of the Superintendence of Data Protection as the competent
national protection authority. The person responsible for the processing of personal data shall report and keep updated the
information before the Personal Data Protection Authority, on the following:
Identification of the database treatment.
Name, legal domicile, and contact details of the responsible and in charge individual of the processing of personal data.
Characteristics and purpose of the personal data treatment.
Nature of the personal data treatment.
Identification, name, legal domicile, and contact details of the recipients of the personal data, including processors and
third parties.
Description of the utilized method of interrelation of the recorded information.
Description of the means used to implement the principles, rights and obligations contained in the present Law and
specialized regulations for the data protection.
Requirements and/or technical and physical, organizational, and legal administrative tools implemented to guarantee the
security and protection of personal data.
Data retention time.
DATA PROTECTION OFFICERS
There is no requirement to appoint a data protection officer in Ecuador. Nevertheless, it is required for a specific person in the
company or a designated group within the company to be in charge of personal data matters.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ecuador 315 | | | www.dlapiperdataprotection.com
1.
2.
3.
4.
5.
6.
7.
8.
1.
2.
3.
4.
COLLECTION & PROCESSING
Our Personal Data Protection Law defines data processing as any operation or set of operations performed on personal data,
whether by automated, partially automated or non-automated technical procedures, such as: collection, compilation, obtaining,
recording, organization, structuring, conservation, custody, adaptation, modification, elimination, indexing, extraction, consultation,
processing, use, possession, exploitation, distribution, assignment, communication or transfer, or any other form of enabling
access, matching, interconnection, limitation, suppression, destruction and, in general, any use of personal data.
The processing of personal data shall be legitimate and lawful if any of the following conditions are met:
By consent of the owner for the treatment of his personal data, for a specific purpose or purposes.
That it is carried out by the data controller in compliance with a legal obligation.
That it is carried out by the data controller, by court order, in compliance with the principles of the present Law.
That the treatment of personal data is based on the fulfilment of a mission carried out in the public interest or in the
exercise of public powers conferred on the controller, derived from a competence attributed by a regulation with the
rank of law, subject to compliance with the international human rights standards applicable to the matter, to compliance
with the principles of this Law and to the criteria of legality, proportionality, and necessity.
For the execution of pre-contractual measures at the request of the owner or for the fulfilment of contractual obligations
pursued by the person responsible for the processing of personal data, person in charge of the processing of personal data
or by a legally authorized third party.
To protect vital interests of the data subject or another natural person, such as his or her life, health, or integrity.
For the processing of personal data contained in publicly accessible databases; or
To satisfy a legitimate interest of the data controller or of a third party, provided that the interest or fundamental rights of
the data subjects do not prevail under the provisions of this regulation.
Personal data may be processed and communicated when there is an explicit consent of the owner to do so. The consent will be
valid when the expression of will is:
Free, that is, when it is absent of any consent flaws.
Specific, in terms of the concrete determination of the means and purposes of the data treatment.
Informed, so that it complies with the transparency principle.
Unambiguous, so that there is no doubt as to the scope of the authorization granted by the owner.
Consent may be revoked at any time without the need for a justification, for which purpose the data controller shall establish
mechanisms that guarantee speed, efficiency, effectiveness, and gratuity, as well as a simple procedure, similar to the procedure by
which the consent was obtained.
The processing carried out prior to the revocation of consent is lawful since it does not have retroactive effects.
When the data treatment is intended to be based on the consent of the data owner for a plurality of purposes, it will be necessary
to state that such consent is obtained for all of them.
Unless proven otherwise, it shall be legitimate and lawful to process data intended to provide information on the financial or
credit solvency, including information relating to the fulfilment or non-fulfilment of obligations of a commercial or credit nature
that enable an assessment on the general conclusion of business, the commercial conduct or the payment capacity of the owner of
the information, where such information is obtained from publicly available sources or from information provided by the creditor.
Such data may be used only for the purpose of analysis and will not be communicated or disseminated, nor may they be used for
any secondary purpose.
The protection of personal credit data shall be subject to the provisions of this Law, the specialized legislation on the subject and
other regulations issued by the Personal Data Protection Authority.
Notwithstanding the foregoing, in no case may credit data relating to obligations of an economic, financial, banking or commercial
nature be communicated after five years have elapsed since the obligation to which they refer has become due.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ecuador 316 | | | www.dlapiperdataprotection.com
1.
2.
3.
1.
2.
Pursuant to the provisions of article 29 of the Organic Law on Personal Data Protection, the holders of Credit Data have the
following rights:
To have personal access to the information of which they are owners.
That the credit report allows them to know the condition of their credit history clearly and precisely; and,
That the sources of information update, rectify or eliminate information that is unlawful, false, inaccurate, erroneous,
incomplete, or outdated.
Regarding the right of access by the Credit Data Owner, this shall be free of charge, as many times as required, with respect to
the information registered about him/herself before the credit reference service providers and through the following mechanisms:
Direct observation through displays that the credit reference service providers will make available to such owners; and
Delivery of printed copies of the reports for the Credit Data Subject to verify the truthfulness and accuracy of their
content, without being used for credit or commercial purposes.
Regarding the rights of updating, rectification or deletion, the Data Owner may demand these rights from the information sources
by means of a written request. The information sources, within fifteen days from the date the request is submitted, shall resolve it
by admitting or rejecting it with reasons. The Credit Data Owner has the right to request the credit reference service providers
to indicate in the credit reports they issue, while the review process continues, that the information subject to the request is being
reviewed at the owner’s request.
TRANSFER
Personal data may be transferred or communicated to third parties when it is carried out for the fulfillment of purposes directly
related to the legitimate functions of the controller and the recipient, when the transfer is configured within one of the grounds of
legitimacy and also has the consent of the owner.
It shall be understood that the consent is informed when for the transfer or communication of personal data the data controller
has provided sufficient information to the data subject to enable him/her to know the purpose for which his/her data will be used
and the type of activity of the third party to whom it is intended to transfer or communicate such data.
It will not be considered a transfer or communication in the event that the processor or a third-party accesses personal data for
the provision of a service to the controller of personal data. The third party who has legitimately accessed personal data in these
considerations shall be considered the processor.
The treatment of personal data carried out by the processor or by a third party must be regulated by a contract, in which it is
clearly and precisely established that the personal data processor or the third party will only process the information in
accordance with the instructions of the owner and will not use it for purposes other than those indicated in the contract, nor
transfer or communicate it even for storage to other persons.
Once the contractual performance has been fulfilled, the personal data shall be destroyed or returned to the data controller under
the supervision of the Personal Data Protection Authority.
The processor or third party shall be liable for any infringements arising from non-compliance with the conditions of personal data
processing set forth in this Law.
SECURITY
Data controllers or the individual in charge of the treatment of personal data must abide by the principle of personal data security,
for which it must consider the categories and volume of personal data, the state of the art, best comprehensive security practices.
and the costs of application according to the nature, scope, context, and purposes of the treatment, as well as identifying the
probability of risks.
Data controllers or the individual in charge of the treatment, must implement a process of verification, evaluation and continuous
and permanent assessment of the efficiency, effectiveness, and effectiveness of the measures of a technical, organizational and any
other nature, implemented to guarantee and improve the security of the processing of personal data.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ecuador 317 | | | www.dlapiperdataprotection.com
1.
2.
3.
The individual in charge of the treatment of personal data must demonstrate that the measures adopted and implemented
adequately mitigate the risks identified.
Among other measures, the following may be included:
Anonymization, pseudonymization or encryption measures of personal data.
Measures aimed at maintaining the confidentiality, integrity and permanent availability of the systems and services for the
processing of personal data and access to personal data, quickly in case of incidents.
Measures aimed at improving technical, physical, administrative, and legal residence.
Those responsible and in charge of the treatment of personal data, may avail themselves of international standards for
adequate risk management focused on the protection of rights and freedoms, as well as for the implementation and
management of information security systems or codes of conduct. recognized and authorized by the Personal Data
Protection Authority.
BREACH NOTIFICATION
Mandatory breach notification
Data controllers or the individual in charge of the treatment of personal data must notify the breach of personal security data to
the Personal Data Protection Authority and the Telecommunication Control Agency, as soon as possible, and at the latest within a
term of five (5) days after the occurred breach incident, unless it is unlikely that said breach of security constitutes a risk to the
rights and freedoms of its individual owners. If the notification to the Data Protection Authority does not take place within five (5)
days, it must be accompanied by an indication of the reasons for the delay.
Data controllers or the individual in charge of the treatment of personal data must notify the person in charge of any violation of
the security of personal data as soon as possible, and at the latest within a term of two (2) days from the date on which he
becomes aware of it.
The person responsible for the treatment must notify the owner of the breach of personal data security without delay when it
entails a risk to their fundamental rights and individual freedoms, within a term of three (3) days from the date on which they
became aware of the risk.
ENFORCEMENT
In case of non-compliance with the provisions set forth in the Law, its regulations, guidelines and directives and regulations issued
by the Personal Data Protection Authority, the Personal Data Protection Authority shall issue corrective measures with the
purpose of preventing the infringement from continuing and the conduct from occurring again, without prejudice to the application
of the corresponding administrative sanctions.
Corrective measures may consist of, among others:
The cease of the treatment, under certain conditions or deadlines.
The disposal of the data; and,
The imposition of technical, legal, organizational or administrative measures to ensure proper handling of personal data.
The Personal Data Protection Authority, within the framework of this Law, will dictate, for each case; the corrective measures,
which are classified into minor infringements and serious infringements.
Penalties for minor infringements will impose an administrative sanction of a fine between 0.1% and 0.7% calculated on the
turnover corresponding to the financial year immediately prior to the imposition of the fine.
Penalties for serious infringements will impose an administrative sanction of a fine between 0.7% and 1% calculated on the
turnover corresponding to the financial year immediately prior to the imposition of the fine.
In addition to the previously mentioned fines, the Personal Data Protection Authority may apply provisional measures of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ecuador 318 | | | www.dlapiperdataprotection.com
1.
2.
3.
4.
5.
6.
7.
protection or precautionary measures such as:
Seizure.
Withholding.
Sale Prohibitions.
Shutdown of establishments.
Activity suspension.
Decommissioning of products, documents, or other goods.
Eviction of individuals.
ELECTRONIC MARKETING
There is no specific regulation regarding data treatment on electronic marketing, to the extent that it may involve processing of
personal data, is subject to the general rules applicable to such data, such as valid data subject consent, adequate privacy notices as
to use and disclosure of personal data and data subject rights.
ONLINE PRIVACY
There is no specific regulation regarding processing of personal data online, therefore, this kind of processing shall be ruled by the
Personal Data Protection Organic Law.
Personal data must not be available online unless there are adequate security measures to ensure that access by any unauthorized
user is restricted.
The use of cookies in web pages is forbidden unless the data subject has given an authorization for usage which may be obtained
by a pop-up informing the user about the privacy policy and the way to disable cookies. All the other tracking systems need
proper authorization from the data subject.
Unauthorized collection of personal data will be subject to the general rules applicable to such data.
KEY CONTACTS
Bustamante Fabara
bustamantefabara.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
José Rafael Bustamante Crespo
Partner
Bustamante Fabara
jrbc@bustamantefabara.com
Gino Ivich Jijón
Associate
Bustamante Fabara
T +593998546947
givich@bustamantefabara.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Egypt 319 | | | www.dlapiperdataprotection.com
EGYPT
Last modified 20 December 2021
LAW
Personal Data Protection Law No.151 of 2020 (the “Law”).
DEFINITIONS
Definition of Personal Data
Pursuant to Article (1) of the Law, personal data shall mean any data relating to an identified natural person, or one who can be
identified directly or indirectly by way of linking such personal data and other data such as name, voice, picture, identification
number, online identifier, or any data which determines the psychological, medical, economic, cultural or social identity of a
natural person.
Definition of Sensitive Personal Data
Pursuant to Article (1) of the Law, sensitive data shall mean data which discloses psychological, mental or physical health, or
genetic, biometric or financial data, religious beliefs, political views, or criminal records. In all cases, data relating to children is
considered to be sensitive personal data.
NATIONAL DATA PROTECTION AUTHORITY
Pursuant to Article (19) of the Law, the Personal Data Protection Centre (the “Centre”) is a public economic authority that has a
legal personality and is under the authority of the Minister of Communications and Information Technology. Such authority aims to
protect personal data and regulate the activities of processing and granting access to such personal data. The Centre shall practice
all the competences stipulated by the Law for achieving its objectives. Particularly, the Centre has the following competences:
Setting and developing the policies, strategy plans and the programs necessary for protecting personal data and the
execution thereof;
Unifying the policies and plans for protecting and processing personal data within the Arab Republic of Egypt;
Setting and applying the decisions, regulations, measures, procedures and criteria related to the protection of personal
data;
Setting a guidance framework for the codes of conduct related to the protection of personal data and approving the codes
of conduct of different entities;
Organizing and cooperating with all the entities, governmental and non-governmental bodies in guaranteeing personal data
protection measures and connecting with all the related initiatives;
Supporting the development of the competence of the personnel working in all governmental and non-governmental
entities who are competent with the protection of personal data;
Issuing licenses, permits, certifications and various measures related to the protection of personal data and the
enforcement of the provisions of the Law;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Egypt 320 | | | www.dlapiperdataprotection.com
Accrediting the entities or individuals and granting them the required permits to provide consultation in relation to
personal data protection measures;
Receiving complaints and communications related to the provisions of the Law and issuing the necessary decisions in this
regard;
Advising on draft laws and international agreements which are related to, regulating, or affecting the personal data directly
or indirectly;
Controlling and inspecting the addresses of the provisions of the Law, and take the necessary legal procedures;
Verifying the conditions of cross-border personal data transfer and issuing the decisions regulating the same;
Organizing conferences, workshops, training and educational courses and issuing publications to raise awareness and to
educate individuals and entities about their rights in relation to dealing with personal data;
Providing all types of expertise and consultations related to the protection of personal data, in particular to the
investigation and judicial authorities;
Entering into agreements and memoranda of understanding, coordinating cooperating, and knowledge exchange
agreements, with international entities, which are relevant to the Centre’s work;
Issuing circulars which update the personal data protection measures, in accordance with the activities of different sectors
and with the Centre’s recommendations; and
Preparing and issuing an annual report on the status of protection of personal data in the Arab Republic of Egypt.
REGISTRATION
Pursuant to the Law, the controller or the processor must obtain a license or a permit from the Centre for practicing the activity
of collecting, storing, transferring, or processing electronic personal data, sensitive data or to undertake any electronic marketing
activities.
Applications for licenses, permits, and certifications shall be submitted on the forms produced by the Centre together with all of
the supporting documents and information requested to be submitted, along with proof of the applicant’s financial ability and its
ability to implement the stipulated requirements and technical standards. Decisions on the applications shall be made within a
period not exceeding ninety (90) days from the date of completing all documentation and information. The lapse of the
above-mentioned period without any decision shall be deemed rejection of the application.
Pursuant to Article (26) of the Law, the licensing fee shall not exceed EGP 2,000,000 (two million Egyptian pounds), while permits
or certifications shall not exceed EGP 500,000 (five hundred thousand Egyptian pounds).
DATA PROTECTION OFFICERS
Pursuant to Article (8) of the Law, the legal representative of the juristic person of any of the controller or the processor shall
appoint a competent employee as a Data Protection Officer (the “DPO”) within its entity to be responsible for personal data
protection. Such DPO must be registered on the DPO register at the Centre. The DPO shall be responsible for enforcing the
provisions of the Law and the decisions of the Centre, as well as monitoring and supervising the procedures applicable within the
entity and receiving requests related to personal data. The DPO shall, in particular undertake the following:
Perform a regular evaluation and inspection of the personal data protection systems and avoid infringement thereto as
well as documenting the results of such evaluation and issuing the necessary recommendations for its protection.
Act as a direct contact point with the Centre and implement its decisions, with respect to the application of the
provisions of the Law.
Enable the data subject to practice its rights stipulated under the Law.
Notify the Centre of the occurrence of any breach of personal data within his entity.
Reply to the requests submitted by the data subject or any relevant person and reply to the complaints filed by them to
the Centre.
Follow-up the registration and update the personal data records held by the controller, or the processing activity records
held by the processor, to guarantee the accuracy of the data and information recorded therein.
Eliminate any transgressions related to personal data within its entity and undertaking the corrective actions related
thereto.
Organise the necessary training programs for the employees of the relevant legal entity, which are required to have
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Egypt 321 | | | www.dlapiperdataprotection.com
sufficient qualifications that comply with the requirements stipulated by the Law.
COLLECTION & PROCESSING
Data Protection Principles
Controllers and processors must comply with a set of rules governing the processing of personal data. Pursuant to the Law, the
following conditions must be fulfilled in order to collect, process and retain personal data:
Personal data shall be collected for legitimate and specific purposes that shall be disclosed to the data subject.
Personal data shall be correct, valid, and secured.
Personal data shall be processed in a legitimate manner and in compliance with the purposes for which it is being
collected.
Personal data shall not be retained for a period longer than that is necessary for the fulfilment of the purpose thereof.
Processing Conditions
Pursuant to Article (6) of the Law, the electronic processing of personal data shall be considered legitimate and legal in cases
where it satisfies one of the following conditions:
It is carried out with the data subject’s consent for the achievement of certain purpose(s);
It is necessary and intrinsic for the performance of a contractual obligation or legal action, the execution of an agreement
for the benefit of the data subject, or the undertaking of any procedure with respect to claiming or defending the data
subject’s legal rights;
It is necessary for performing a legal obligation or an order issued by the competent investigation authorities or it is based
upon a judicial ruling; or
It is necessary for enabling the controller to perform its obligations or any relevant person to practice its legitimate rights
unless this contradicts the data subject’s fundamental rights and freedoms.
Rights of Data Subjects
Pursuant to Article (2) of the Law, personal data may not be collected, processed, disclosed, or revealed by any means except
with the explicit consent of the data subject or where otherwise permitted by law.
Further, the data subjects have a range of rights to control the processing of their personal data, which are as follows:
To know, review and access/obtain his/her own personal data, which is in possession of any holder, controller or
processor;
To withdraw the prior consent concerning the retention or processing of his/her personal data;
To correct, edit, erase, add or update his/her personal data;
To limit the processing to a specified purpose;
To be notified with any infringement to his/her personal data; and
To object to the processing of personal data or its results whenever this contradicts the data subject’s fundamental rights
and freedoms.
Obligations of the Controller and the Processor:
Pursuant to Article (5) and (6) of the Law, the controller and the processor must comply with certain conditions while collecting
and processing personal data, :inter alia
Ensure the validity, conformity and sufficiency of the personal data with the purpose of its collection;
Not exceed the purpose and period of processing, and notify the controller, the data subject or each relevant person, as
the case may be, with the period necessary for processing;
Set the method, manner, and standards for processing pursuant to the designated purpose;
Ensure the applicability of the specified purpose for the collection of the personal data for processing objectives;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Egypt 322 | | | www.dlapiperdataprotection.com
Refrain from undertaking any action which would result in disclosing personal data except in the cases permitted by law;
Adopt all technical and regulatory procedures and apply the necessary standard criteria for protecting personal data and
ensuring its confidentiality, and prevent any hack, damage, alteration or manipulation through any illegitimate procedure;
Correct any error in the personal data immediately upon being notified or becoming aware of such error; and
Avoid any direct or indirect harm to the data subject.
TRANSFER
Pursuant to Article (14) of the Law, it is prohibited to transfer any personal data that was collected or prepared for processing to
a foreign country unless such country grants a level of protection of personal data, that does not fall below what is stipulated in
the Law and subject to obtaining a relevant license or permit from the Centre. However, exceptions are made under Article (15)
of the Law, if the direct consent of the data subject or his representative is obtained for transferring, sharing, circulating or
processing personal data to a country that does not offer the same level of protection in the following cases:
To protect the data subject’s life and provide them with medical care, treatment, or the administration of medical
services.
To perform obligations in order to prove the existence of a legal right or to exercise or defend such right before the
judiciary.
To conclude or perform an agreement entered into by the person responsible for processing the personal data and third
party, which shall be in favor of the concerned data subject.
To perform a procedure required under an international judicial cooperation.
There is legal necessity or obligation to protect the public interest.
To transfer money to another country pursuant to the laws in force of that country.
If the transfer or circulation is pursuant to a bilateral or multilateral agreement, to which the Arab Republic of Egypt is a
party.
In addition, the controller or the processor may, as the case may be, grant access to personal data to another controller or
processor outside the Arab Republic of Egypt by virtue of a license from the Centre provided that the following conditions have
been met:
There is conformity between the nature of work of either of the controllers or processors, or unity between the
purposes for which they obtain the personal data.
Either the controllers or processors, or the data subject, have a legitimate interest in the personal data.
The level of legal and technical protection of the personal data offered by the controller or the processor abroad shall not fall
below the level of protection provided in the Arab Republic of Egypt.
SECURITY
The Law defines data security as the technological and organizational procedures and operations for the purpose of protecting the
privacy, secrecy, safety, unity, and completeness of personal data.
The Law does not state any specific technical standards or measures. However, the Law states that the controller must adopt all
technical and regulatory procedures and apply the necessary standard criteria for protecting personal data and to ensure its
confidentiality, and prevent any hack, damage, alteration or manipulation through any illegitimate procedure.
Furthermore, Article (25) of the Egyptian Anti-Cybercrimes Law imposes penalties of imprisonment for a period not less than six
(6) months and/or a fine not less than EGP 50,000 (fifty thousand Egyptian pounds) and not exceeding EGP 100,000 (one hundred
thousand Egyptian pounds). This penalty is imposed regardless of whether the published information is correct or incorrect, on
whoever violates the right to privacy, grants any personal data to a system or a website or sends densified e-mails without the
data subject’s consent in order to promote goods or services or to publish information, news, pictures or the like, through the
information network or by any means of information technology.
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Egypt 323 | | | www.dlapiperdataprotection.com
Pursuant to Article (7) of the Law, each of the controller and the processor, as the case may be, shall notify the Centre with any
personal data infringement, within seventy-two (72) hours of such infringement. In the event that such infringement relates to
national security protection concerns, the notification shall be immediate. In all events, the Centre shall immediately notify the
National Security Authorities with the infringement and provide them, within seventy-two (72) hours from being aware of the
infringement, with the following:
description of the nature of the infringement, the form and the reasons thereof as well as the approximate number of
personal data and their records;
the information of the DPO;
the potential consequences of the infringement;
description of the procedures which have been followed and the proposed procedures to be adopted in order to
minimize the negative impacts of the infringement;
evidence of documenting any personal data infringement and the corrective actions which have been taken to solve it; and
any documents, information or data requested by the Centre.
In all events, the Controller and Processor, as the case may be, shall notify the data subject within three (3) days from the date of
notifying the Centre, with the infringement and the adopted procedures related thereto.
The Law defines the National Security Authorities as the Presidency, Ministry of Defence, Ministry of Interior, the General
Intelligence Directorate, and the Administrative Control Authority.
ENFORCEMENT
Right to Raise Complaints
Pursuant to Article (33) of the Law, the data subject and any relevant person, has the right to submit a complaint in relation to:
Infringement or breach of the right of protection of personal data.
Failure to enable the data subject to exercise his/her rights.
The decisions issued by the DPO of the processor or controller in relation to the requests submitted to him/her.
Judicial Control Powers
The Centre’s employees, who are appointed by a decision of the Minister of Justice upon the proposal of the Minister of
Telecommunications and Information Technology who is the competent minister in this regard, shall have judicial control powers
in relation to violations of the Law.
Penalties
Failure to comply with the provisions of the Law, shall be penalized with imprisonment and/or fines that can reach up to EGP
5,000,000 (five million Egyptian pounds).
ELECTRONIC MARKETING
Pursuant to Article (17) of the Law, any electronic communication for the purpose of direct marketing to the data subject shall be
prohibited unless the following conditions are met:
consent is obtained from the data subject;
the communication includes the identity of its creator and sender;
the sender has a valid and complete address to be contacted at;
the purpose is clearly indicated as being for direct marketing; and
clear and uncomplicated mechanisms are set to allow the data subject to refuse the electronic communication or to
withdraw his/her consent to receive such communication.
Further, Article (18) of the Law, provides that the sender of any electronic communication for direct marketing purpose shall
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Egypt 324 | | | www.dlapiperdataprotection.com
undertake to do the following:
specify a defined marketing purpose;
not to disclose the contact details of the data subject; and
maintain electronic records evidencing the consent of the data subject to receive electronic marketing communication and
any amendments thereof, or their non-objection to its continuity for a duration of three (3) years from the date of
sending the last communication.
ONLINE PRIVACY
The Law does not provide any specific rules for governing cookies and location data. However, pursuant to Article (2) of the
Egyptian Anti-Cybercrimes Law No. 175 of 2018, the service providers are under a duty to maintain the privacy of the data stored
and not to disclose it to anyone without a reasoned order from a relevant judicial authority. Such duty includes the personal data
for any of the users of the service provided by such service provider. A service provider who violates this duty shall be penalized
with imprisonment for a period not less than one (1) year and/or a fine not less than EGP 5,000 (five thousand Egyptian pounds)
and not exceeding EGP 20,000 (twenty thousand Egyptian pounds).
Furthermore, Article (25) of the Anti-Cybercrimes Law imposes penalties of imprisonment for a period not less than six (6)
months and/or a fine not less than EGP 50,000 (fifty thousand Egyptian pounds) and not exceeding EGP 100,000 (one hundred
thousand Egyptian pounds). This penalty is imposed regardless of whether the published information is correct or incorrect, on
whoever violates the right to privacy, grants any personal data to a system or a website or sends densified e-mails without the
data subject’s consent in order to promote goods or services or to publish information, news, pictures or the like, through the
information network or by any means of information technology.
KEY CONTACTS
Matouk Bassiouny & Hennawy
matoukbassiouny.com/the-firm/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Nevine Aboualam
Partner
Matouk Bassiouny & Hennawy
T + (202) 2796 2042 (ext.111)
nevine.aboualam@matoukbassiouny.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World El Salvador 325 | | | www.dlapiperdataprotection.com
EL SALVADOR
Last modified 16 February 2022
LAW
N/A.
El Salvador’s Congress approved a Personal Data Protection Act on Apr. 22, 2021. As part of the process of creation of a Law in
El Salvador, all Acts approved by Congress are later referred to the President of the Republic for his review/veto/approval. In this
case, the Act was vetoed and sent back to Congress for review but no further action has been taken in order to review the causes
for the veto and/or make any amendments for its further approval.
Hence, data protection regulation in El Salvador remains disseminated in many other Acts that briefly regulate the confidentiality
of a person’s information but no specific regulation is in place.
DEFINITIONS
Definition of Personal Data
“Information concerning a natural/moral person who is identified or identifiable.”
Definition as contained Personal Data Protection Act on Apr. 22, 2021
Definition of Sensitive Personal Data
“Personal data that affects the most intimate sphere of its owner and whose misuse may give rise to discrimination,
seriously affect the right to honour, personal and family privacy and self-image. They are generally those that reveal
aspects such as creed, religion, ethnic origin, political affiliation or ideologies, union membership, sexual preferences,
physical and mental health, biometric information, genetics, moral and family situation, and other intimate information of a
similar nature.”
Definition as contained Personal Data Protection Act on Apr. 22, 2021
NATIONAL DATA PROTECTION AUTHORITY
The Personal Data Protection Act on Apr. 22, 2021 created the National Authority for the Protection of Personal Data; however,
said institution is not in force given that the Act was not finally approved.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World El Salvador 326 | | | www.dlapiperdataprotection.com
Some protection of data is handled by the Institution of Access to Public Information but in regards specifically to data of persons
who have had a direct relationship with the Government, such as current or former public employees, contractors, etc.
REGISTRATION
Registration is not regulated.
DATA PROTECTION OFFICERS
To this date, only Public Offices/Institutions are required to appoint a Public Information Access Officer, but no Data Protection
Officer regulation is in place.
COLLECTION & PROCESSING
Collecting and Processing is not specifically regulated. However, the E-Commerce Act establishes, in general terms, that all
information provided by the user of an online store/marketplace must be safely guarded. Similar requirements are established by
the E-Signature Act, in regards to the information of the owners of an E-Signature.
TRANSFER
Transfer is not specifically regulated. However, disperse regulation generally establishes that the owner of personal information
must authorise in written the transfer of their data.
SECURITY
Security is not specifically regulated. However, the E-Commerce Act establishes, in general terms, that all information provided by
the user of an online store/marketplace must be safely guarded. Similar requirements are established by the E-Signature Act, in
regards to the information of the owners of an E-Signature.
BREACH NOTIFICATION
Breach notification is not regulated.
ENFORCEMENT
No specific Enforcement Authority has been created. However to the extent of its capabilities and within the legal framework of
our criminal jurisdiction, the General Attorney’s Office can prosecute any crime related with the use of personal data as regulated
in the laws of the matter.
ELECTRONIC MARKETING
Electronic Marketing is not specifically regulated; however, false/misleading advertisement is punishable as stated in El Salvador’s
Consumer Protection Act.
ONLINE PRIVACY
No specific regulation is in place regarding online privacy in El Salvador.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World El Salvador 327 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Central Law
central-law.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Fernando Argumedo
Associate
Central Law
T +503 2241 3600
fargumedo@central-law.com
Francisco Murillo
Associate
Central Law
T +503 2241 3600
fmurillo@central-law.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Equatorial Guinea 328 | | | www.dlapiperdataprotection.com
EQUATORIAL GUINEA
Last modified 10 January 2022
LAW
The applicable law is the Personal Data Protection Law Num. 1/2016 dated 22 July.
DEFINITIONS
Definition of Personal Data
The Personal Data Protection Law under art.4 defines personal data as “any information, testimony or review concerning a person
specifically identified or identifiable”.
Definition of Sensitive Personal Data
The law does not provide a definition of sensitive personal data. However, art.41(d) consider as a mayor infringement the
treatment or given out of personal data in relating to conscience liberty, affiliation or political ideology, health, sex life, race, tribe,
religion or any other discrimination form without the express authorization of the owner.
NATIONAL DATA PROTECTION AUTHORITY
The Governing Data Protection Body.
REGISTRATION
The General Data Protection Registry (art. 33) is the organ responsible for registration under its Technical Secretariat which takes
charge of the registration of public and private personal data files and of carrying out all actions entailing the modification, creation
or suppression of personal data through authorised books.
DATA PROTECTION OFFICERS
The Governing Data Protection Body through its Technical Secretariat is responsible for ensuring the administration of personal
data files, regardless of their ownership, is done in due compliance with the provisions of the law.
COLLECTION & PROCESSING
Arts. 6 and 9 of the applicable law determines that only personal data that are adequate, accurate, truthful, complete and not
excessive in relation to the scope and purpose of their collection may be used, prohibiting the collection of such data by
fraudulent and unlawful means.
In this regard, an interested parties to whom personal data are requested must be previously expressly informed in a concise and
unequivocal manner and must be informed about the purpose and consequences of the collection, the destination and the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Equatorial Guinea 329 | | | www.dlapiperdataprotection.com
recipients of the information, about the mandatory or optional nature of their response to the questions asked, about the effects
of the refusal to provide them, as well as the identity and address of the person responsible for the processing or its
representative.
The processing of data by third parties according the law must be subject to a contractual agreement under which a third parties
must agree in writing to process the data solely and in accordance with the instructions authorised by the owner, that is, the
data must not be used or applied for a different purpose or communicated to third parties (art.8).
TRANSFER
Art. 21 is to the effect that:
Personal data obtained by the General administration of the state cannot be communicated or given out unless it is for
historic or, statistics of scientific purposes. However, personal data could be communicated between the public
administration and other public organs or institutions.
Private holders of personal data cannot communicate or give out personal data found in their possession unless by a court
order instructed by a competent court.
For the performance of any of the above, the holders of the data have to be notified of the purpose for which their data is
to be communicated or given out. Notwithstanding, consent will not be needed from the owner of the data unless the
data was made available to the public, and it is likely to be communicated to other public or private files.
SECURITY
Art. 11 determines that, the data controller or data processor must adopt the necessary technical and organisational measures to
ensure the security of the personal data processed, ensuring their preservation and avoiding their alteration, loss, unauthorised
processing or access. In this sense, personal data must not be recorded in files, systems or processing centres that do not meet
the security conditions for the integrity, confidentiality and guarantee of the same.
BREACH NOTIFICATION
The breach of notification constitutes a minor infringement when the data was obtained from the person concerned (art. 39 C)
and a major infringement when the data was not obtained from the person concerned (art. 40 C).
Mandatory breach notification
The law does provide for a mandatory breach duty. Notwithstanding, it provides that in the case of a severe or major breach
likely to affect a fundamental right or personal data the sanctioning organ may require the person responsible to restrain the use,
communication, give out, or the illegal transfer.
ENFORCEMENT
The enforcement process applied to determine and impose the sanctions is adjusted to the principles, rules and norms of
administrative procedure at the request of an audience by the interested party. During the audience, other enforcement measures
can be adopted by the sanctioning organ to ensure compliance of the final resolution and to secure the application of the
sanctions. However, these measures have a provisional character (art.45).
Where the infringement is committed in a public file, the sanctioning organ has to pass a resolution ordering the dismissal or
correction of the infringement, as well as propose the application of disciplinary proceedings against the offenders (art.45).
The resolution of the sanctioning organ is elevated to a higher authority, which must then verify and determine the applicable
sanctions against the infringement.
ELECTRONIC MARKETING
Not regulated by the personal data protection law. However, art. 22 of the Internet Communication Law Num. 1/2017 dates
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Equatorial Guinea 330 | | | www.dlapiperdataprotection.com
January is to the effect that commercial electronic communications such as adverts and promotions must conform with the data
protection laws in relation to the abstention, creation and maintenance of files. More also, data used for such purposes must be
clear and identifiable.
ONLINE PRIVACY
Not regulated by the law.
KEY CONTACTS
Centurion Law Group
centurionlg.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Maria Cheswa Alogo Django
Junior Associate
Centurion Law Group
T 00240 222 378 493
maria.django@centurionlg.com
Pablo Mitogo
Associate
Centurion Law Group
T 00240 222 762 410
pablo.mitogo@centurionlawfirm.com
https://www.dlapiperdataprotection.com
https://centurionlg.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 331 | | | www.dlapiperdataprotection.com
ESTONIA
Last modified 12 January 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
In Estonia, all derogations / additional requirements to the GDPR are provided in the new Personal Data Protection Act
(PDPA) and the Personal Data Protection Implementation Act (Implementation Act).
The new PDPA was adopted by the Estonian parliament on December 12, 2018 and entered into force on January 15,
2019. The Implementation Act was adopted on February 20, 2019 and entered into force on March 15, 2019.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 332 | | | www.dlapiperdataprotection.com
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The PDPA and the Implementation Act use the same definitions as the GDPR and do not foresee any new terms or terms
defined differently from the GDPR.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The PDPA specifies that in the meaning of article 51(1) of the GDPR the independent supervisory authority of Estonia
shall be the Estonian Data Protection Inspectorate (DPI). The PDPA further specifies the requirements for and appointing
of the head of the DPI.
In addition to the tasks provided in Article 57 of the GDPR, the PDPA specifies that the DPI is competent to:
raise awareness and understanding of the public, the controllers and processors about the risks of processing
personal data, the standards and safeguards applicable to processing, and the rights related to the processing of
personal data; The DPI may provide indicative guidance for this task;
provide information to the data subject, upon request, about the exercise of his rights under this PDPI and, if
necessary, cooperate with other supervisory authorities of the European Union Member States for this purpose;
initiate, where necessary, misdemeanor proceedings and impose sanctions in the event where it is not possible to
achieve compliance with the requirements provided by law or GDPR with the application of other administrative
measures;
cooperate with international data protection supervisory organizations and other data protection supervisory
authorities and other competent authorities and persons of foreign states;
monitor relevant trends insofar as they affect the protection of personal data, in particular the development of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 333 | | | www.dlapiperdataprotection.com
information and communication technology;
participate in the European Data Protection Board;
apply administrative coercion to the extent and pursuant to the procedure prescribed by law;
submit opinions to the Estonian parliament, the Government of the Republic, the Chancellor of Justice and other
institutions and the public on its own initiative or upon request on issues related to the protection of personal
data;
perform other duties arising from law.
In addition to the rights and powers under the GDPR the PDPA specifies that the DPI has the right to:
warn the controller and the processor that the data processing activities are likely to violate the PDPA;
demand the rectification of personal data;
demand the deletion of personal data;
demand restriction of processing of personal data;
demand the termination of the processing of personal data, including destruction or archiving;
implement organizational, physical and informational security measures for the protection of personal data
without delay, if necessary, in accordance with the procedure provided for by the Substitutive Enforcement and
Penalty Payment Act, if necessary, in order to prevent damage to the rights and freedoms of a person, unless
personal data are processed by a public authority;
impose a temporary or permanent restriction on the processing of personal data, including a prohibition on the
processing of personal data;
initiate state supervisory proceedings on the basis of a complaint or on its own initiative.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
Given that the GDPR does not provide for the registration of processing personal data, registries and systems will no
longer exist. Pre-recorded data will remain as archived information about past activities.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 334 | | | www.dlapiperdataprotection.com
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
In relation to DPOs, the PDPA and the Implementation Act do not foresee any derogations / additional requirements to
the GDPR.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record- keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 335 | | | www.dlapiperdataprotection.com
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 336 | | | www.dlapiperdataprotection.com
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 337 | | | www.dlapiperdataprotection.com
a.
b.
c.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognised by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorised by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Processing after data subject’s death. According to the PDPA the consent of the data subject is valid during the
data subjects life and 10 years after the data subject’s death, unless otherwise provided by the data subject. If the
data subject has died underaged, the data subject’s consent shall be valid for 20 years after his / her death. After
the data subject’s death, the processing of his/her personal data is permissible upon the consent of one of the
heirs of the data subject, unless:
10 years have passed from the death of the data subject;
More than 20 years have passed from the death of an underaged data subject
Another legal basis for processing exists.
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 338 | | | www.dlapiperdataprotection.com
The aforementioned consent is not required when the processing includes only the data subject’s name, gender, time of
birth and death, the fact of death, and the time and place of burial.
Processing of personal data related to the breach of a contractual obligation. It is permitted to transfer personal
data related to a breach of a contractual obligation to a third party, and the third party is permitted to process
this personal data, with the purpose of assessing the creditworthiness of the data subject, or with another similar
purpose, and only on condition that the controller or processor has checked the correctness of data, the legal
basis for transfer and has registered the data transfer. Gathering data for the aforementioned purposes and
transferring it to a third person is not permissible, if the data includes special categories of personal data, the data
refers to the fact of being a victim of or committing an offence (before the public hearing, judgement or
termination of proceedings), it would have a material adverse effect on the data subjects rights, or less than 30
days or more than 5 years has passed from the end of the breach of the obligation.
Processing for journalistic purpose – GDPR article 85. It is permissible to process personal data without the data
subject’s consent for journalistic purposes (primarily make information public in media) if public interest exists and
such processing is done according to the principles of journalistic ethics. Such publicising must not cause excessive
damage to the rights of a data subject.
Processing for the purposes of academic, artistic or literary expression – GDPR article 85. It is permissible to
process personal data without the data subject’s consent for the purposes of academic, artistic or literary
expression (primarily publication) if it does not cause excessive damage to the rights of the data subject.
Processing of personal data in a public space. Unless the law specifies otherwise, in case of the recording of audio
or photographic material in a public space, for the purpose of publicizing it, the consent of the data subject shall
be replaced with the notification of the data subject in a form which enables him / her to acknowledge the fact of
recording and to prevent himself / herself from being recorded. The notification obligation does not exist in case
of public events, when the recording of these events for publicizing purposes can be reasonably expected.
Processing for the purposes of scientific or historical research purposes or for the purposes of official statistics –
GDPR article 89. It is permissible to process personal data for these purposes without the data subject’s consent
in pseudonymized form or in a form that ensures at least equivalent level of data protection.
De-pseudonymization or other measure of changing non-identifiable personal data to identifiable personal data is
only permissible for further research or official statistics. The processor must name the person, who has access to
the data that enables de-pseudonymization.
The processing of personal data without data subject’s consent in a form that the data subject is
identifiable is only permissible when:
Pseudonymization would make it impossible to achieve the purposes of data processing, or they
would be impracticably difficult to achieve;
The processor believes that an overwhelming public interest exists;
Based upon the processed personal data, the amount of data subject’s obligations are not changed
and data subject’s rights are not excessively damaged in any other way.
Where the scientific research is based on special categories of personal data, the ethics committee or the DPI will
ensure the fulfillment of these obligations.
Analyses and researches of government institutions, done for the purposes of policy making, is also considered
scientific research according to the PDPA.
The processor or controller is entitled to limit data subjects’ rights stated in GDPR articles 15, 16, 18, 21 only to
the extent that the enforcement of these rights would probably make the achievement of scientific or historical
research purposes, or the purposes of official statistics, impossible or obstruct it considerably.
Processing for archiving purposes in the public interest – GDPR article 89. The processor or controller is
entitled to limit data subjects’ rights stated in GDPR article 15, 16, 18, 19, 20, 21 only to the extent that
the enforcement of these rights would probably make the achievement of the purposes of archiving in the
public interest impossible or obstruct it considerably. Limiting data subjects’ rights is permissible to
protect the records, their authenticity, credibility, integrity and usability.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 339 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
a.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
The PDPA and the Implementation Act do not foresee any derogations / additional requirements to the GDPR.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 340 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
The PDPA and the Implementation Act do not foresee any derogations / additional requirements to the GDPR.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The PDPA and the Implementation Act do not foresee any derogations / additional requirements to the GDPR.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 341 | | | www.dlapiperdataprotection.com
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
The PDPA specifies that the DPI is entitled to apply certain special state supervision measures to carry out the necessary
state supervision, in addition the DPI is entitled to use the measures specified in article 58 of the GDPR. The DPI may
make enquiries to electronic communications undertakings about the data required for the identification of an end-user
related to the identification tokens used in the public electronic communications network, except for the data relating to
the fact of transmission of messages, unless identification of an end-user is otherwise impossible.
Further, with regard to administrative supervision, the DPI is, if the precepts it issued are not fulfilled, entitled to turn to a
superior agency, person or body of the processor of personal data for organisation of supervisory control or
commencement of disciplinary proceedings against an official. Upon failure to comply with a precept of the DPI, DPI may
impose a penalty payment pursuant to the procedure provided for in the Substitutive Enforcement and Penalty Payment
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 342 | | | www.dlapiperdataprotection.com
Act. The upper limit for a penalty payment is 20,000,000 euros or up to 4% of the total worldwide annual turnover of the
preceding financial year, whichever is higher.
In addition to the administrative supervision the DPI may also impose fines (in misdemeanor proceedings) of up to
20,000,000 euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The PDPA also specifies the term for review of complaints, the DPI shall settle a complaint within 30 days after theie,
date of filing the complaint with the Data Protection Inspectorate. In order to additionally clarify certain circumstances
this term may be extended by up to 60 days. If cooperation with other relevant supervisory agencies is required, then the
term is extended by a reasonable period necessary to receive the opinion from the other agency.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon,
the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
Electronic marketing is regulated by the Electronic Communications Act. As a general rule, the data subject must be able to
consent to the electronic marketing. The requirements for this consent depend on whether the addressee is a natural or a legal
person, and whether there is an existing client relationship between the parties. Real time non-automated phone calls and regular
mail are not considered electronic marketing under Estonian law.
The customer consent must be obtained separately from other terms of the contract between the parties – i.e. it cannot be
obtained in the standard terms presented to the customer ( ‘By accepting these terms you agree to receive our commercialeg,
communications at the email address provided to us’). In practice, a checkbox separate from the acceptance of the standard terms
is often used to obtain this consent.
An opt-in consent is required if the addressee is a natural person, except in the case of an existing client relationship, where
opt-out is permissible. The message itself must always include information to clearly determine the person on whose behalf the
marketing is sent, clearly distinguishable direct marketing information and clear instructions on how to refuse to receive further
direct marketing ( an unsubscribe link).eg,
Reliance on an opt-out (for natural persons) in the framework of existing client relationships is subject to the following additional
requirements:
the same entity has obtained the contact details in the course of a sale;
the direct marketing is in respect of similar goods or services;
the recipient was given a possibility to opt out at the collection of his / her personal data;
the message must include information to clearly determine the person on whose behalf the marketing is sent; and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 343 | | | www.dlapiperdataprotection.com
the message must include clearly distinguishable direct marketing information and the recipient is given a simple means in
each subsequent email to opt out/unsubscribe.
If the addressee is a legal person, the opt-out system is applicable. There is no need to obtain a prior consent for direct marketing,
but:
the message must include information to clearly determine the person on whose behalf the marketing is sent;
the message must include clearly distinguishable direct marketing information; and
the recipient is given a simple means in each subsequent email to opt out / unsubscribe.
ONLINE PRIVACY
Traffic data and location data
Traffic data retention requirements apply only to communications undertakings. Providers of telephone or mobile telephone
services and telephone network and mobile telephone network services, as well as providers of Internet access, electronic mail
and Internet telephony services are required to preserve for a period of one year network traffic data, location data and
associated data thereof which is necessary to identify the subscriber or user in relation to the communications services provided.
Cookies
Due to the opt-out system, consent to cookies is not needed. The law does not refer specifically to browser settings or other
applications to be adopted in order to exercise the right to refuse.
The PDPA specifies, that if GDPR article 6(1)(a) is used with regard to providing information society services directly to a
child, then the processing of the child’s personal data is permitted if the child is at least 13 years old. If the child is
younger, then processing is permissible only if and in the extent to which the child’s legal representative has agreed to.
KEY CONTACTS
Sorainen
www.sorainen.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Kaupo Lepasepp
Partner
Sorainen
T +372 6 400 900
kaupo.lepasepp@sorainen.com
Mihkel Miidla
Partner, Head of Technology & Data Protection
Sorainen
T +372 6 400 959
mihkel.miidla@sorainen.com
https://www.dlapiperdataprotection.com
http://www.sorainen.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Estonia 344 | | | www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ethiopia 345 | | | www.dlapiperdataprotection.com
ETHIOPIA
Last modified 20 December 2021
LAW
Ethiopia has several laws that relate to privacy and data security, including the 1995 Constitution of the Federal Democratic
Republic of Ethiopia, the 2005 Criminal Code of the Federal Democratic Republic of Ethiopia, the 1960 Civil Code, the Computer
Crime Proclamation No. 958/2016, Freedom of the Mass Media and Access to Information Proclamation No. 590/2008 (as
amended by the Media Proclamation No. 1238/2021).
DEFINITIONS
Definition of Personal Data
No specific definition is generally applicable.
The Freedom of the Mass Media and Access to Information Proclamation No. 590/2008, applicable to government entities, is
understood to generally define personal data as information about an identifiable individual that relates, but is not limited, to:
medical, education, academic, employment, financial transaction, professional or criminal history
ethnic, national or social origin, age, pregnancy, marital status, color, sexual orientation, physical or mental health,
well-being, disability, religion, belief, conscience, culture, language or birth
an identification number, symbol or other identifier assigned to the individual, address, fingerprints or blood type
personal opinions, views or preferences, except as relate to another individual
views or opinions on grant proposals, awards, or prizes granted to another individual, provided such views or opinions are
not associated with the other individual’s name
views or opinions of others about the individual, or
an individual’s name, in combination with other personal data, or alone, if could reasonably be linked to personal data
(exception applies for persons deceased for more than 20 years).
Ethiopian Communications Authority’s Consumers Rights and Protection Directive 2020 defines personal information as private
information and record relating to consumers leading to identify such consumer such as his identity, address or telephone number
and/or traffic and billing data and/or other personal information.
Definition of Sensitive Personal Data
Sensitive personal data is not defined.
NATIONAL DATA PROTECTION AUTHORITY
There is no data protection authority.
REGISTRATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ethiopia 346 | | | www.dlapiperdataprotection.com
There is no requirement to register databases or personal data processing activities.
DATA PROTECTION OFFICERS
There is no requirement to appoint a data protection officer.
COLLECTION & PROCESSING
Though Ethiopia has not enacted a specific law to address personal data collection and processing issues, the country’s scattered
legislative framework is understood to require that personal data be collected and processed with due care and only for an
intended lawful purpose. Obtaining express consent for collecting and processing of personal data is also a requirement under
those scattered provisions.
TRANSFER
No specific geographic transfer restrictions apply in Ethiopia.
However, existing law provides that personal data transfers must be based on the prior written consent of the person whose data
is to be transferred and only for an intended lawful purpose.
SECURITY
There are no specific data security requirements.
The Computer Crime Proclamation No. 958/2016 requires service providers to implement reasonable and necessary security
measures to protect confidential computer traffic data disseminated through their computer systems or communications services
from unlawful and unnecessary access.
Ethiopian Communications Authority’s Sim Card Registration Directive requires Telecommunication Operators to take all
reasonable steps to ensure the security and confidentiality of its subscribers’ registration details.
BREACH NOTIFICATION
There is no general breach notification requirement in Ethiopia.
However, the Computer Crime Proclamation No. 958/2016 requires service providers with knowledge that a crime stipulated by
the Proclamation (including breach of privacy via unauthorized access) has been committed by a third party through the computer
system it administers to immediately notify the Information Network Security Agency, report the crime to police, and take
appropriate measures.
Ethiopian Communications Authority’s Sim Card Registration Directive under Article 24 obliges a telecommunication operator to
notify the Ethiopian Communications Authority of any data breach that compromises subscribers’ information within seven (7)
business days from discovery of the breach. The operator shall also notify the affected subscriber of such breach.
ENFORCEMENT
Ethiopian courts are responsible for enforcing data protection and privacy provisions in the law.
ELECTRONIC MARKETING
No specific law regulates electronic marketing in Ethiopia.
ONLINE PRIVACY
There are several provisions in Ethiopian law to regulate online privacy. For example, the Computer Crime Proclamation No.
958/2016 criminalizes the unauthorized access to, and illegal interception and damage of, computer data.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ethiopia 347 | | | www.dlapiperdataprotection.com
The Proclamation further prohibits the use of computer systems to disseminate advertisements absent addressee consent.
The new Media Proclamation obliges online Media to protect the data of users and obtain explicit consent from users when
circumstances requiring users’ data to be made available to third parties.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Benyam Tafesse
Head, Employment, IP & Aviation Practices
Mehrteab Leul & Associates
T +251 115 159 798
benyam@mehrteableul.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Fiji 348 | | | www.dlapiperdataprotection.com
FIJI
Last modified 10 January 2022
LAW
There is no specific legislation for personal data protection in Fiji. Clause 24 of the Constitution (2013) provides the right to
personal privacy, includes right to confidentiality of personal information.
Some sector-specific laws criminalise (or expose to other serious action) the unauthorised disclosure by others of personal/client
information as follows:
Banking Act 1995 – by central bank personnel (s.27) and licensed financial institution personnel (s.71)
Fiji Revenue and Customs Service Act 1998 – by tax officials (s.52 (2))
Medical and Dental Practitioner Act 2010 – by statutory administrators of any data obtained in the course of their duties
(s.126)
Under the Rules of Professional Conduct and Practice (para 1.4) of the Legal Practitioners Act 2009 – information
received by legal practitioners from or on behalf of clients
Cybercrime Act 2021 (has not commenced yet) – Defines ‘computer data’ which is broad enough to capture personal data
if it stored in a computer system.
These laws, however, do not directly protect personal information.
DEFINITIONS
Definition of Personal Data
The only actionable rights available to citizens are in s.24 of the Constitution. This creates a right to “personal privacy”, said to
include:
“confidentiality of their personal information;
confidentiality of their communications; and
respect for their private and family life”.
These terms are not otherwise defined.
Definition of Sensitive Personal Data
None.
NATIONAL DATA PROTECTION AUTHORITY
None.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Fiji 349 | | | www.dlapiperdataprotection.com
REGISTRATION
None.
DATA PROTECTION OFFICERS
None.
COLLECTION & PROCESSING
No applicable laws.
TRANSFER
No applicable laws.
SECURITY
No applicable laws.
BREACH NOTIFICATION
No applicable laws.
ENFORCEMENT
No applicable laws.
ELECTRONIC MARKETING
No applicable laws.
ONLINE PRIVACY
No applicable laws.
KEY CONTACTS
Munro Leys
www.munroleyslaw.com/
Richard Naidu
Partner
Munro Leys
T +679 322 1816
richard.naidu@munroleyslaw.com.fj
Bhumika Khatri
Associate
Munro Leys
T +679 322 1824
bhumika.khatri@munroleyslaw.com.fj
https://www.dlapiperdataprotection.com
https://www.munroleyslaw.com/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Fiji 350 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 351 | | | www.dlapiperdataprotection.com
FINLAND
Last modified 21 February 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
Finland has passed a supplementary implementation act of the GDPR, the Data Protection Act of Finland ,(Tietosuojalaki)
which entered into force on January 1, 2019.
Other key Finnish laws concerning data privacy and protection are: the Act on Electronic Communication Services
917/2014 of January 1, 2015, which aims to, inter alia, ensure the confidentiality of(Laki sähköisen viestinnän palveluista)
electronic communication and the protection of privacy; the Act on the Protection of Privacy in Working Life 759/2004
(‘Working Life Act’) which aims to promote the protection of privacy and other(Laki yksityisyyden suojasta työelämässä),
rights safeguarding the privacy in working life, and; the Act on the Processing of Personal Data in Criminal Cases and in
connection with Maintaining National Security 1054/2018 (Laki henkilötietojen käsittelystä rikosasioissa ja kansallisen
), which entered into force on January 1, 2019 along with the Data Protection Act.turvallisuuden ylläpitämisen yhteydessä
The Working Life Act includes some specific provisions on privacy issues relating to employment and work environments
such as right to monitor employees’ email communication. The protection of employees’ privacy has traditionally been
strict in Finland and Finland uses the national leeway provided in the GDPR with regard to processing of personal data in
the context of employment and maintains the specific law concerning privacy in working life.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 352 | | | www.dlapiperdataprotection.com
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The definitions in Finland are the same as in the GDPR and no additional local definitions have been included.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
In Finland The Office of the Data Protection Ombudsman ( ) is the local supervisory authority.Tietosuojavaltuutetun toimisto
The Office of the Data Protection Ombudsman contains the Data Protection Ombudsman himself, two Assistant Data
Protection Ombudsmen as well as various data protection experts and secretaries as public servants.
Post address: P.O. Box 800, 00531 Helsinki Finland
Visiting address: Lintulahdenkuja 4, 00530 Helsinki Finland
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 353 | | | www.dlapiperdataprotection.com
T +358 29 56 66700
tietosuoja@om.fi
www.tietosuoja.fi
The Data Protection Act specifies the Data Protection Ombudsman’s duties and rights under the GDPR regarding e.g.,
audits, right to receive information and right to impose sanctions on entities.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
The Finnish Data Protection Act does not contain any provisions related to registration. The former Finnish Personal Data
Act did contain some requirements for registration, but these have been repealed.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
https://www.dlapiperdataprotection.com
https://tietosuoja.fi/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 354 | | | www.dlapiperdataprotection.com
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
In Finland the new Data Protection Act does not contain specific local requirements on data protection officers. However,
few special national acts stipulate mandatory appointment of data protection officers.
For example, in Finland all functional units of healthcare and social welfare as well as pharmacies must appoint a data
protection officer under the Act on Electronic Prescriptions 2007/61 and under The (Laki sähköisestä lääkemääräyksestä),
Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (159/2007) (Laki sosiaali- ja
.terveydenhuollon asiakastietojen sähköisestä käsittelystä)
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 355 | | | www.dlapiperdataprotection.com
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their
legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorised by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 356 | | | www.dlapiperdataprotection.com
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 357 | | | www.dlapiperdataprotection.com
a.
b.
c.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Finland has used the national leeway provided in GDPR article 6(1) subsection e) as well as GDPR article 9(2) subsections
b), g), h), i) and j) regarding collecting and processing personal data in certain situations.
In Finland, personal data may be processed under GDPR article 6(1) e) when processing is necessary for the performance
of a task carried out in the public interest or in the exercise of official authority vested in the controller, if:
it relates to information representing a person’s position, tasks and the processing thereof in the public sector entity,
business life or other equivalent activity, the purpose of processing rests on the public interest grounds and it complies
with the principle of proportionality;
it is necessary in the operation of authorities in order to perform a task in public interest and it complies with the
principle of proportionality;
it is necessary for scientific or historical research or statistical purposes and it complies with the principle of
proportionality; or
the processing of research material, material related to cultural heritage and any description information thereof
for archiving purposes is necessary on public interest grounds and complies with the principle of proportionality.
The processing of special categories of personal data under GDPR article 9(2) subsections b), g), h), i) and j) may be
carried out in Finland if it concerns, by way of example:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 358 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
personal data of the insured person or a claimant within the operation of an insurance company to settle its
liability;
health and medical data in connection with certain operations of healthcare and social welfare service providers;
or
processing for scientific or historical research purposes or statistical purposes.
In addition to the above-mentioned processing activities, the national leeway has also been used in the Data Protection
Act with respect to processing related to criminal convictions and offences as well as processing of national identification
numbers. For example in relation to national identification numbers, processing is only allowed based on data subject
consent or if it is necessary to unambiguously identify the data subject for: a) a task defined in law, b) realization of the
rights and responsibilities of the data subject or data controller, or c) historical or scientific research or statistical
purposes. Further, national identification numbers can be processed for e.g. credit, loan, insurance, debt collection,
payment service and leasing purposes, in social or healthcare services, and in connection with employment relatioships.
The Working Life Act sets additional processing requirements to employment related data that an employer collects and
processes of its employees. All employee personal data processed must at all times be directly necessary for the
employee’s employment relationship. This necessity requirement cannot be bypassed even with the employee’s consent.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defense of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 359 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
no other legal basis for transfer will infringe the GDPR.
The new Data Protection Act does not include additional clauses concerning transfer of personal data, Finland hasie,
decided not to use the marginal national leeway provided in GDPR articles 46 and 49 as per now.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
The new Finnish Data Protection Act does not contain any direct additional requirements for the security of processing in
the meaning of GDPR article 32. However, the Data Protection Act does specify the security measures to be taken if
special categories of personal data are processed. These measures are mostly the same as included in the GDPR article 32
( pseudonymization, encryption, personnel training, access management, log-on data usage), and according to theeg,
government proposal explanatory text serve more as examples of what measures must be taken rather than an exhaustive
mandatory list despite the wording used.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 360 | | | www.dlapiperdataprotection.com
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
In Finland the general breach notification procedure follows the rules set by GDPR.
However, certain special national legislation does include additional requirements on breach notifications. The Act on
Electronic Communication Services establishes an obligation for telecommunications operators to notify their subscribers,
users and the Finnish Transport and Communications Authority (‘Traficom’) of significant information security violations
or threats and of anything else that prevents or significantly interferes with communication services. In addition, under the
Act on Electronic Communication Services, domain name registrars shall notify Traficom without undue delay of
significant violations of information security in its domain name services and of anything that essentially prevents or
disturbs such services.
The Act on Strong Electronic Identification and Electronic Signatures (2009/617) (Laki vahvasta sähköisestä tunnistamisesta
) also states that an electronic identification service provider shall notify service providersja sähköisistä luottamuspalveluista
using its services, identification device holders as well as Traficom of severe risks and threats to its data security.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 361 | | | www.dlapiperdataprotection.com
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
In Finland, the Data Protection Ombudsman and the Deputy Data Protection Ombudsmen supervise compliance with
GDPR and the Finnish Data Protection Act. In addition, an Expert Committee provides statements on significant questions
and matters related to data processing upon the request of the Data Protection Ombudsman.
The Data Protection Ombudsman may order a data controller or data processor to comply with certain articles of the
GDPR as well as Section 18 of the Data Protection Act, which covers the Data Protection Ombudsman’s right to receive
necessary information, and impose a default fine to make the order more effective. However, the default fine may not be
imposed on a natural person due to them not complying with the section on the Data Protection Ombudsman’s right to
receive information if the person is suspected of a crime and the information is related to the alleged crime.
Administrative fines defined in article 83 of the GDPR will be issued by a sanction board within the Office of the Data
Protection Ombudsman. The sanction board consists of the Data Protection Ombudsman and the two Deputy Data
Protection Ombudsmen and the decision shall be made as a majority decision. Finland has decided to use the provided
national leeway and the Act regulates that the administrative fines cannot be issued to:
state authorities;
state-owned businesses;
local authorities;
independent public institutions;
organs operating in connection with the Parliament;
the Office of the President of the Republic; or
the Evangelical Lutheran Church of Finland or the Orthodox Church of Finland or the parishes, associations of
parishes or other bodies thereof.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 362 | | | www.dlapiperdataprotection.com
In addition, criminal sanctions can ensue from breaches of data protection laws in Finland as the Criminal Code of Finland
39/1889 ( ) includes several data processing, data privacy, confidentiality and data security related offences orRikoslaki
crimes. Finland has also introduced a punishable offence, the data protection offence, to the Criminal Code of Finland
based on the GDPR. If the controller or data processor commits a data protection offence, the punishment is a fine or up
to one year of imprisonment. The Criminal Code also states that the prosecutor is obligated to hear the Data Protection
Ombudsman before bringing charges against a controller or data processor for a data protection offence.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The Act on Electronic Communication Services regulates direct marketing by electronic means in Finland. The Data
Protection Ombudsman is the supervising authority also in compliance issues with the Act on Electronic Communications
Services’ provisions concerning direct marketing.
Direct marketing to natural persons is only allowed by means of automated calling systems, facsimile machines, or email,
text, voice, sound or image messages and only if the natural person has given his / her prior consent to it. Direct
marketing using other means is allowed if the natural person has not specifically forbidden it. If, however, a service
provider receives an email address, number or other contact information in relation to the sale of product or service, the
service provider may normally use this contact information to directly market the service providers own products or
services belonging to the same product group or that are otherwise similar to the natural person in question. The natural
person must be able to easily and at no charge unsubscribe from or prohibit any direct marketing and the service provider
must clearly inform the natural person of that possibility.
A service provider may use direct marketing with legal persons (businesses) unless they have specifically prohibited it. As
with natural persons, legal persons must also be able to easily and at no charge unsubscribe from/prohibit any direct
marketing and the service provider must clearly inform the legal person of that possibility. In addition, telecommunications
operators and corporate or association subscribers are entitled, at a user’s request, to prevent the reception of direct
marketing.
The Data Protection Ombudsman and the Finnish Customer Marketing Association have given their interpretations on
B2B direct marketing using a legal person’s general contact information, such as an email address (e.g.
info@company.com). If the B2B direct marketing is sent to a legal person’s employee’s personal work email
(fistname.lastname@company.com), the person’s prior consent is required unless the marketed product or service is
substantially related to the person’s work duties based on the person’s job description.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 363 | | | www.dlapiperdataprotection.com
Email, text, voice, sound or image message sent for the purpose of direct marketing must be clearly and unmistakably be
recognized as direct marketing. It is forbidden to send such a direct marketing message that:
disguises or conceals the identity of the sender on whose behalf the communication is made;
is without a valid address to which the recipient may send a request that such communications be ended;
solicits recipients to visit websites that contravene with the provisions of the Consumer Protection Act
20.1.1978/38 ( ).Kuluttajansuojalaki
If any processing of personal data is involved in the electronic direct marketing, the provisions of the applicable data
protection laws (such as the Finnish Data Protection Act and the GDPR) will also apply.
ONLINE PRIVACY
The Act on Electronic Communication Services 917/2014 regulates online privacy matters such (Laki sähköisen viestinnän palveluista)
as the use of cookies and location data.
Cookies
A service provider is allowed to save cookies and other data in a user’s terminal device, as well as use such data, only with the
consent of the user. The service provider must also give the user clear and complete information on the purposes of use of
cookies.
However, the above restrictions do not apply to use of cookies only for the purpose of enabling the transmission of messages in
communications networks or which is necessary for the service provider to provide a service that the subscriber or user has
specifically requested.
In April 2021, Helsinki Administrative Court ruled in its decision that the competent supervisory authority in cookie consent
issues is Transport and Communications Agency Traficom, not the Office of the Data Protection Ombudsman. However, the
Office of Data Protection Ombudsman remains competent supervisory authority in other cookie matters.
Traficom published in September 2021 a guideline “Instructions for service providers” updating its instructions on cookie
implementation on consent collection. For consent to meet the requirements set in the GDPR, users must have the opportunity
to choose whether to accept or reject the terms offered. Consent can be given in a variety of ways, as long as it clearly indicates
that the data subject accepts the proposal for the processing of their personal data. Valid consent cannot be given through silence,
pre-ticked boxes or inactivity. Refusing and withdrawing consent must be as easy as giving consent. The controller must also be
able to demonstrate the consent afterwards.
Location Data
The location data associated with a natural person can be processed for the purpose of offering and using added value services, if;
the user or subscriber, whose data is in question, has given his / her consent;
if the consent is otherwise clear from the context; or
is otherwise provided by law.
In general, location data may only be processed to the extent necessary for the purpose of processing and it may not limit the
privacy any more than absolutely necessary.
The added value service provider shall ensure that:
the user or subscriber located has easy and constant access to specific and accurate information on his / her location data
processed, purpose and duration of its use and if the location data will be disclosed to a third party for the purpose of
providing the services:
the above mentioned information is available and accessible to the user or subscriber prior him / her giving his/her
consent;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Finland 364 | | | www.dlapiperdataprotection.com
the user or subscriber has the possibility to easily and at no separate charge cancel the consent and ban the processing of
his / her location data (if technically feasible).
The user or subscriber is entitled to receive the location data and other traffic data showing the location of his/her terminal device
from the added value service provider or the communications provider at any time.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Markus Oksanen
Partner
T +358 9 4176 0431
markus.oksanen@fi.dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 365 | | | www.dlapiperdataprotection.com
FRANCE
Last modified 12 January 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
France updated Law No. 78-17 of January 6, 1978 on information technology, data files and civil liberties (the ) to“Law”
GDPR with the enactment of (i) Law No. 2018-493 of June 20, 2018 on the protection of personal data, and (ii) Order
No. 2018-1125 of December 12, 2018, adopted pursuant to Article 32 of Law No. 2018-493, updates the Law and other
French laws relating to personal data protection in order to “simplify the implementation and make the necessary formal
corrections to ensure consistency with EU data protection law”. France domestic data protection legislation was further
completed with the adoption of Decree No. 2019-536, adopted for the application of the Law (the ). The“Decree”
Decree clarifies procedural rules of the French data protection authority, including its control and sanctions, and further
specifies data subject rights.
Territorial Scope
As of today, Article 3 of the Law provides that it applies when (i) the data controller or data processor is established in
France (whether or not the processing takes place in France) or (ii) the targeted data subjects reside in France.
DEFINITIONS
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 366 | | | www.dlapiperdataprotection.com
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The definitions under the Law are the same as under the GDPR. Article 2 of the Law makes an express reference to
GDPR definitions, thus harmonizing the definitions and concepts of French law with the GDPR.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
CNIL in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29
Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the
EU, issuing guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The « Commission Nationale de l’Informatique et des Libertés » or « CNIL » is the French Supervisory Authority
Address
3 place de Fontenoy
TSA 80175
75334 Paris Cedex 07
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 367 | | | www.dlapiperdataprotection.com
Telephone
01 53 73 22 22
01 53 73 22 00
Website
www.cnil.fr
The CNIL has different missions and powers, which mainly include (i) informing data subjects and data controllers /
processors (whether public or private) about their rights and obligations; (ii) ensuring compliance of all personal data
processing with French and EU data protection rules as well as data protection rules resulting from international
commitments of France; (iii) anticipating new challenges and issues arising from innovation and the use of new
technologies, including privacy in general and ethics; (iv) controlling and sanctioning. In addition, the Law provides for
mutual assistance and joint operations with other EU Supervisory Authorities, as well as cooperation with non-EU
supervisory authorities.
The CNIL has a range of tools to complete its missions including e.g., publication of reference frameworks, created after
consultations with the stakeholders or sectors at hand, among which standard regulations (which are mandatory in
respect of processing of biometric, genetic, health or criminal convictions and offences data), reference methodologies in
the sector of health, guidelines, recommendations and standards, approval of codes of conduct and certifications, broad
range of on-site and off-site investigation powers and sanctions. The Law provides further precisions on the functioning of
the CNIL and its specific tasks and powers, notably the extent of on-site investigations and procedural requirements, in
connection with the missions described above.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
Prior formalities with the CNIL are no longer required and are replaced by the obligation to hold a record of processing
which include the same categories of information as those initially requested in the filing forms.
However, formalities are maintained for the processing of data in the health sector which is subject either to a declaration
of conformity to specific requirements defined by the CNIL or an authorization by the CNIL. In this respect, the CNIL has
published several updated methodologies of reference (” ” or “MR”) in July 2018 and is in theMethodologies de Reference
process of drafting additional matters-specific reference methodologies ( research, studies and evaluations that do note.g.
involve human person). A formal commitment to comply with these methodologies exempts the data controller –
generally the sponsor of the research – from having to apply for a formal authorization with the CNIL.
Certain specific processing of personal data must be authorized by decree of the State Council ( ) orConseil d’Etat
https://www.dlapiperdataprotection.com
https://www.cnil.fr/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 368 | | | www.dlapiperdataprotection.com
ministerial order, taken after a motivated and public opinion of the CNIL. These processing are as follows:
Processing of the social security number (with a few exceptions);
Processing carried out by or on behalf of the State, acting in the exercise of its public authority prerogatives, of
genetic or biometric data necessary to the authentication or identity control of individuals;
Processing carried out on behalf of the State (i) which concern State security, defense, national security, or (ii)
which purpose is the prevention, investigation, detection or prosecution of criminal offences, or enforcement of
criminal convictions or security measures.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
The Law provides that controllers processing personal data under the scope of the EU Data Protection Directive on
Police and Criminal Justice Cooperation must appoint a DPO, with the exception of jurisdictions acting within the scope
of their judicial activity.
The Decree specifies the mandatory information to be communicated to the CNIL by data controller(s) or processor(s) in
the DPO notification form. On 20 September 2018, the CNIL issued two standards regarding the certification of DPO
skills: one regarding the skills and know-how expected to be certified as DPO (CNIL Deliberation No. 2018-318), and the
other one regarding the criteria applicable to certifying DPO organisations (CNIL Deliberation No. 2018-317).
COLLECTION & PROCESSING
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 369 | | | www.dlapiperdataprotection.com
Data protection principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal basis under article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special category data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their
legal capacity;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 370 | | | www.dlapiperdataprotection.com
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal convictions and offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a secondary purpose
Increasingly, organizations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (privacy notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 371 | | | www.dlapiperdataprotection.com
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the data subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 372 | | | www.dlapiperdataprotection.com
a.
b.
c.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Special category data
The Law contains specific provisions regarding the processing of health data ( see above regarding authorizatione.g.
requirements), as well as additional provisions regarding processing of special categories of personal data.
Criminal convictions and offences data
The following categories of persons can process such personal data:
Courts, public authorities and legal persons entrusted with a public service, acting within the scope of their legal
functions, as well as entities collaborating with judicial entities as listed in the Decree;
Auxiliaries of justice, for the strict exercise of their functions;
Individuals and private entities to prepare, bring or defend a claim in court as a victim or defendant, and to
execute the court decision, for the duration strictly necessary for these purposes. It is possible to share such
information with third parties under the same conditions and for the same purposes;
Collective IP rights management organizations for the purpose of defending those rights; and
Persons reusing public information appearing in published rulings, provided that the processing has neither the
purpose or effect of allowing the re-identification of the concerned persons.
In addition, the following categories of persons are authorized by the Decree to process personal data relating to criminal
convictions, offenses or related security measures:
Victims support associations contracted by the Ministry of Justice;
Associations of assistance to the reintegration of persons placed under the authority of justice, in the respect of
their social object;
The establishments mentioned in 2 ° of I of Article L. 312-1 of the Code of Social Action and Families as part of
their mission of medico-social support;
The establishments and services mentioned in 4 ° and 14 ° of I of Article L. 312-1 of the Code of Social Action
and Families;
The drop-in and reception centers mentioned in III of Article L. 312-1 of the Code of Social Action and Families;
The medical or medico-educational establishments authorized mentioned in articles 15 and 16 of the order No.
45-174 of 2 February 1945 relating to delinquent childhood;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 373 | | | www.dlapiperdataprotection.com
The public or private educational or vocational training institutions, authorized and appropriate boarding schools
for juvenile school-aged offenders mentioned in Articles 15 and 16 of the aforementioned order of 2 February
1945;
Private legal entities exercising a public service mission or the authorized associations mentioned in Article 16 of
the aforementioned order of 2 February 1945;
The legal representatives for the protection of the adults mentioned in Article L. 471-1 of the Code of Social
Action and Families.
The CNIL may issue standard regulations, prescribe additional measures to be implemented, including of a technical and
organizational nature, and / or complementary warranties for processing of special categories of data, including notably
criminal convictions and offences data, by public and private entities (except for processing carried out in connection with
the exercise of public authority by or on behalf of the State).
In addition, processing of criminal convictions and offences data which purpose is the prevention, investigation, detection
or prosecution of criminal offences, or enforcement of criminal convictions or security measures by or on behalf of the
State is subject to an order of the competent Ministry.
Transparency (privacy notices)
The Law mandates data controllers to provide data subjects with information relating to their right to define directives
relating to the processing of their personal data after their death (digital legacy).
In addition, where the data is collected from a data subject under 15, the data controller must provide the mandatory
information provided for by Art. 13 GDPR in a clear and easily accessible language.
Rights of the data subjects
The Decree describes the conditions in which the data subjects can exercise their rights (and more precisely, the
conditions to check the identity of the data subject making the right request).
Data subjects’ rights can be restricted notably to avoid obstructing administrative investigations, inquiries or procedures,
to safeguard the prevention, investigation, detection and prosecution of criminal offences, as well as of administrative
enquiries, or to protect the rights and freedoms of others.
Digital legacy
Data subjects have the right to give instructions regarding the storage, deletion and communication of their personal data
after their death (Articles 48 and 85 of the Law). Such instructions can be either:
General, in which case they apply to all their personal data, irrespective of who the controller is. Such instructions
can be given to a trusted third party certified by the CNIL; however, the implementing decree in this respect has
never been adopted since the adoption of this provision in 2016; or
Specific to one or several services, in which case the data subject can also give his / her instructions to the
relevant data controller. It is required to obtain the specific consent of the data subject, and such consent cannot
derive from his/her consent to general terms and conditions.
If the data subject has not given any instructions in his / her lifetime, then his / her heirs can exercise certain rights, in
particular:
The right of access, if it is necessary for the settlement of the succession; and
The right to close the deceased’s accounts and to cease the processing of his / her personal data or, request the
update of the personal data of the deceased.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 374 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay, New Zealand and Japan.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes among others binding corporate rules and standard contractual clauses. The EU-US Privacy Shield
Framework does not constitute an appropriate safeguard for transferring personal data to the USA since the European
Commission Decision 2016/1250 (which was the legal basis of the EU-US Privacy Shield) has been invalidated by the European
Court of Justice on 16 July 2020 (Case C-311/18). The GDPR has removed the need which existed in some Member States under
the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defense of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
In the event processing of personal data involves a transfer of data outside the European Union territory, data subjects
must be provided with mandatory information on, inter alia, the data transferred, the purpose of the transfer, the
recipients of the data and the transfer mechanism used in accordance with the GDPR.
With respect to transfers made on the basis of Article 49(1)§2 of GDPR (“compelling legitimate interest”), the Decree
provides that the CNIL will define templates (including annexes) to be used by data controllers to inform the CNIL about
such transfers.
With respect to transfers made on the basis of code of conduct or other certification mechanism approved by the CNIL
in accordance with the Law and the Decree, the Decree provides that data controller / data processor that rely on such
transfer mechanisms shall provide the CNIL with a binding and enforceable commitment to apply appropriate safeguards
to data subjects’ rights and freedoms in the concerned third-country. such transfer and require the State Council to send
a reference for a preliminary ruling to the European Court of Justice.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 375 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
No specific requirements other than those set forth in the GDPR.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The Decree restricts the obligation of notification under Article 34 of the GDPR for the following processing:
Processing including personal data allowing to identify, directly or indirectly, individuals whose identity is
protected under Article 39 sexies of the French law on the freedom of the press; and
Administrative, financial and operational data, as well as health data processing for which the notification of an
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 376 | | | www.dlapiperdataprotection.com
unauthorized disclosure or access is likely to result in a risk for the national security, defense or public, due to the
volume of data affected by the breach and the private information it contains (such as the family address or
composition).
The Law provides that a Decree by the State Council, adopted after seeking the CNIL’s opinion (yet to be adopted) will
specify a list of categories of processing and processing operations that derogate to the data breach notification
requirement. Such derogation will only apply to processing that are necessary pursuant to a legal obligation bearing on the
data controller or a public interest mission vested in the data controller, where such data breach notification would likely
result in a risk to homeland security, defense or public safety.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
For instance, in France, criminal penalties which can go up to 5 years of prison and EUR 300,000 fine for natural persons
and EUR 1,500,000 for legal persons.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 377 | | | www.dlapiperdataprotection.com
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( , an email addresseg
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The Law does not contain explicit provisions with respect to electronic marketing. However, Article L. 34-5 of the French Postal
and Electronic Communications Code regulates electronic marketing in France. The CNIL has issued guidelines on the basis of this
provision.
The CNIL distinguishes between B2B and B2C relationships. In any event, all electronic marketing messages must specify the name
of the advertiser and allow the recipient to object to the receipt of similar messages in the future.
Electronic marketing to consumers (B2C)
Electronic marketing activities are authorised provided that the recipient has given consent at the time of collection of his / her
email address.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 378 | | | www.dlapiperdataprotection.com
This principle does not apply when:
the concerned individual is already a customer of the company and if the marketing messages sent pertain to products or
services similar to those already provided by the company, or
the marketing messages are not commercial in nature.
In any event the concerned individual, at the time of collection of his / her email address, must be informed that it will be used for
electronic marketing activities, and be able to easily and freely object to such use.
Electronic marketing to professionals (B2B)
Electronic marketing activities are authorized provided that the recipient has been, at the time of collection of his / her email
address:
informed that it will be used for electronic marketing activities, and
able to easily and freely object to such use.
The message sent must relate to the concerned individual’s professional activity. Please note that email addresses such as
contact@companyname.fr are not subject to the requirements of prior consent and the right to object.
ONLINE PRIVACY
Cookies
The EU Cookie Directive has been implemented in the Law. It states that any subscriber or user of electronic communications
services must be fully and clearly informed by the data controller or its representative of:
the purpose of any cookie (ie, any means of accessing or storing information on the subscriber’s / user’s device, eg, when
visiting a website, reading an email, installing or using software or an app), and
the means of refusing cookies,
unless the subscriber / user has already been so informed.
Cookies are lawfully deployed if the subscriber / user has expressly consented after having received information. Valid consent can
be expressed via browser settings if the user can choose the cookies he / she accepts and for which purpose.
However, the foregoing provisions do not apply:
to cookies the sole purpose of which is to allow or facilitate electronic communication by a user, or
if the cookie is strictly necessary to provide online communication services specifically requested by the user.
Location and traffic data
The Postal and Electronic Communications Code deals with the collection and processing of location and traffic data by electronic
communication service providers (CSPs).
All traffic data held by a CSP must be erased or anonymised. However, traffic data may be retained, for example:
for the purpose of finding, observing and prosecuting criminal offences
for the purpose of billing and payment of electronic communications services, or
for the CSP’s marketing of its own communication services, provided the user has given consent thereto
Subject to exceptions (observing and prosecuting criminal offences; billing and payment of electronic communications services),
location data may be used in very limited circumstances, for example:
during the communication, for the proper routing of such communication, and
where the subscriber has given informed consent, in which case the location data may be processed and stored after the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 379 | | | www.dlapiperdataprotection.com
communication has ended. Consent can be revoked free of charge at any time.
Cookies
The French Data Protection Supervisory Authority (CNIL) replaced its 2013 guidelines regarding cookies and trackers,
which were no more compliant with the GDPR, by revised guidelines. Following the adoption of a version of its guidelines
on cookies and other trackers on 4 July 2019, which have been partially annulled by a decision from the French highest
administrative Court, the , the CNIL has adopted revised guidelines and the final versionConseil d’Etat, on 19 June 2020
of its recommendations on the practical procedures for collecting consent concerning cookies and other trackers. The
CNIL’s revised guidelines, adopted by way of are based on Article 82 ofdeliberation n°2020-091 of September 17th, 2020
the Data Protection Act (“Loi Informatique et Libertés”) implementing Article 5 (3) of EU directive “ePrivacy”, into
French law.
While the Revised Guidelines provide the CNIL’s guidance on how to read the relevant provisions of the French Data
Protection Act, which governs the use of cookies and other trackers in France, the Recommendations provide practical
guidance and examples to help professionals navigate the rules applicable to cookies and other trackers and comply with
the requirements of Article 82 of the French Data Protection Act. These two documents constitute “soft law” and are
not binding, but provide strong references for organizations to anticipate how the CNIL may conduct its compliance
investigations.
Regarding consent, the CNIL has now specified that consent must be:
unambigous: to align with the guidelines on consent issued by the Article 29 Working Party, the CNIL repeals
its previous position according to which scrolling down, browsing or swiping through a website or app was
considered as an acceptable expression of consent to cookies and allowed for cookies to be placed. Therefore,
for the CNIL, continuing to navigate on a website or using an application is no more acceptable to evidence a
consent to cookies. The absence of action from the user (i.e., no choice from the user) can no longer be
construed as a valid consent but should rather be construed as refusal. This operates a shift from “soft opt-in” to
active consent. The revised guidelines also outlines that pre-ticked boxes does not meet the GDPR standard of
consent;
freely given: the data subject must be able to exercise freely his / her choice. The CNIL has revised (albeit
subtlety) its previous positioning regarding “cookie walls” (the practice of subjecting prior access to a website or
application to the acceptance of cookies) – where the CNIL considered that consent could never be freely given
when collected using cookie walls, the revised guidelines now specify that cookie walls are likely to hinder freely
given consent;
specific: consent must be tailored to each purpose. Therefore acceptance of the general terms and conditions as
a whole (“bundled” consent) does not constitute valid consent;
informed: information to data subjects must be easily understandable by any of them. Information must be given
in plain language. The use of complex technical or legal terms does not meet the requirement of prior
information. Such information must at least include (i) the identity of the data controller(s) implementing the
trackers (ii) a thorough list of the purpose(s) of the reading or writing operations (iii) the means available to
consent or object to the use of cookies (iv) the consequences of accepting or refusing the use of cookies and (v)
the right to withdraw consent;
evidenced: all organizations that use cookies must implement appropriate mechanisms that allow them to
demonstrate, at all times, that they have validly obtained consent from users. the revised guidelines specifically
provide that users choices, be it consent or refusal, must be (i) clearly presented to users, notably as regards the
available means to exercise such choice, (ii) collected and clearly evidenced (the recommendations give examples
of how to ensure such evidence through the use of a consent management platform, screen capture, etc.) and (iii)
recorded by data controllers, for an appropriate duration during which they would not ask the users again for
their consent. Such duration may vary depending on the nature of the site or application concerned. According to
the Recommendations, a good practice in that respect is 6 months – at the expiry of that term, controllers could
ask users again to consent (or refuse) to the use of cookies and trackers; and
https://www.dlapiperdataprotection.com
https://www.conseil-etat.fr/ressources/decisions-contentieuses/dernieres-decisions-importantes/conseil-d-etat-19-juin-2020-lignes-directrices-de-la-cnil-relatives-aux-cookies-et-autres-traceurs-de-connexion%20
https://www.cnil.fr/sites/default/files/atoms/files/lignes_directrices_de_la_cnil_sur_les_cookies_et_autres_traceurs
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World France 380 | | | www.dlapiperdataprotection.com
revocable: organizations are encouraged to put in place user-friendly solutions to allow users to withdraw their
consent as easily as they gave it. The CNIL highlights the fact that means to refuse cookies and trackers must be
“as easy” as means available to accept use thereof. As a result, users must not be subjected to complex
procedures for refusing cookies and trackers and withdraw their consent, which they must be able to do at any
time. To that end, the CNIL provides practical examples and good practices in the Recommendations, from the
use of a “reject all” button to the availability of a visible “cookies” icon enabling users to parameter their choices
and withdraw their consent.
As far as data retention is concerned, cookies validity period remains 13 months while information collected via the
trackers, for the purpose of audience measurement, can be retained for 25 months.
The CNIL has granted six months to allow the organizations to become compliant with these new guidelines, which will
end in March 2021. However, during this transition period, the CNIL will not accept as a valid consent the continuation of
browsing. In the same manner, the other requirements (such as the prohibition to install cookies before such acceptance
is given, the possibility to withdraw the consent, mandatory information, etc.) will still be subject to the CNIL’s control
and sanction.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Denise Lebeau-Marianna
Partner
T + 33 (0)1 40 15 24 98
denise.lebeau-marianna@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gabon 381 | | | www.dlapiperdataprotection.com
GABON
Last modified 10 January 2022
LAW
The data protection regime in Gabon is governed by the following laws and regulations:
Law No. 001/2011 on the Protection of Personal Data “the Law”;
Law No. 26/2018 of 22 October 2018 regarding Electronic Communications in Gabon;
Law No. 02/2004 of 30 March 2005 ratifying the International Convention for the Suppression of the Financing of
Terrorism;
Regulation No. 01/03 -CEMAC-UMAC relating to the Prevention and Suppression of Money Laundering and Financing of
Terrorism in Central Africa;
Order n°00000014/PR/2018 of February 23, 2018 on the regulation of electronic transactions in the Gabonese Republic;
and
Order No. 15-PR-2018 on the Regulation of Cybersecurity and the Fight against Cybercrime.
DEFINITIONS
Definition of Personal Data
Any information relating to an identified or identifiable natural person, directly or indirectly, by reference to an identification
number or to one or more elements, specific to his physical, physiological, genetic, psychological, cultural, social or economic
identity (Article 6 of the Law).
Definition of Sensitive Personal Data
All personal data relating to religious, philosophical, political or trade union opinions or activities, sex life, health, social race,
health, social measures, prosecution, criminal or administrative sanctions (Article 6 of the Law).
NATIONAL DATA PROTECTION AUTHORITY
The Gabonese National Authority for Data Protection is the CNPDCP (La Commission nationale pour la protection des données à
Its main duties are to ensure that any processing of personal data is carried out in accordance with thecaractère personnel).
provisions of the Data Protection Law and to inform all data subjects, data controllers, and others involved of their rights and
obligations.
The CNPDCP deals with:
receiving the notifications of data controllers regarding processing operations;
authorising processing operations that involve a high risk to rights and liberties of individuals;
establishing and publishing standards for personal data processing and enacting model regulations for security (in this
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gabon 382 | | | www.dlapiperdataprotection.com
context, CNPDCP has issued guidelines on the processing of personal data in the context of CCTV systems);
receiving complaints, petitions, and claims relating to the processing of personal data of an individual;
advising public authorities, and where appropriate individuals and organisations on how to implement data processing
operations;
informing, without delay, the Public Prosecutor on offences committed;
carrying out inspections, audits, and obtaining all information and documents considered necessary;
answering requests for accessing processing operations;
giving opinions, if requested, on the level of compliance of organisations as well as designing compliance products and
rules;
awarding compliance labels regarding personal data processing complying with the Data Protection Law;
proposing to the Government of Gabon legislative or regulatory measures with regard to the evolution and adaptation of
new technologies and the processing of personal data;
representing Gabon in the international community on data protection related matters;
preparing and denying, at the request of the Prime Minister, the Gabonese position on data protection related matters in
view of international negotiations;
imposing sanctions and penalties and delivering enforcement notices to data controllers in the case of non-conformity
with the Data Protection Law; and
submitting an annual activity report to the President of the Gabon National Assembly
REGISTRATION
The is no country-wide system of registration in Gabon. However, The processing of personal data may be subject to prior
notification to, or authorisation from CNPDCP.
The requirement of prior authorisation is applicable in the following circumstances:
automatic or non-automatic processing of data regarding criminal convictions and infractions, except for processing
carried out by Justice officials in the context of their obligations to ensure the security of possibly affected persons;
automatic processing of genetic data (except when carried out by healthcare professionals for the purpose of preventive
medicine, medical diagnosis or the provision of medical care and treatment);
automatic processing which, considering the nature of the data or of the underlying purpose of processing, may result in
excluding an individual from rights, benefits, contributions, or contract(s), without a legal or regulatory basis;
automatic processing aimed at interconnection by one or more entities in the context of public service aimed at different
public interests, or interconnection between different entities, for different purposes;
processing which concerns a person’s registration number in a national identification database;
automatic processing of data containing comments, observations, and analysis of social difficulties experienced by
individuals; and
automatic processing of biometric data required for controlling the identity of individuals.
The CNPDCP shall take a decision within two months from receiving the request for authorisation. This time limit may be
renewed once by a decision from the President of the CNPDCP. Where the CNPDCP has not taken a decision within these time
limits, the application for authorisation shall be deemed to be rejected.
Specific activities for data processing are subject to ministerial approval. These include data processing carried out on behalf of the
State and aimed at State security, defence or public safety, or which is carried out for the purpose of preventing, investigating,
detecting, pursuing, or executing criminal infractions is approved by the competent Government ministry(ies), subject to a prior
opinion by the CNPDCP. Other matters are also approved by legislative measures, such as publicly relevant processing aimed at
public census.
Other data processing operations are subject to a mere prior notification to the CNPDCP, except if a complete exemption from
notification or authorisation applies.
Specifically, the following activities are exempt from formalities:
processing operations aimed solely at forming a register which is legally intended exclusively for public information and is
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gabon 383 | | | www.dlapiperdataprotection.com
open to public consultation by any person with legitimate interest;
processing operations by any organisation, not-for-profit organisation, or any religious, political, philosophical, or trade
union organisation or association – this exemption only applies if;
the processing operations corresponds to the formal and official purpose of said organisation/association;
the processing relates only to its members, and, where applicable, to people who have regular contact with the
organisation/association in the context of its activity; and
the data is not disclosed to third parties, unless the data subject has given its/her consent;
processing operations for which the data controller has appointed a data protection officer (‘DPO’), unless personal data
is being transferred across borders
In addition, the CNPDCP may identify specific data processing operations which, due to their simplicity and low-risk level, may be
subject only to a simplified notification process. This simplified process includes:
the purposes of the processing operations;
personal data or categories of personal data processed;
the category or categories of persons concerned;
the addressees or categories of addressees to whom personal data are communicated;
the data retention periods.
DATA PROTECTION OFFICERS
No, the appointment of a DPO is left at the exclusive discretion of the data controller. In any event, we call attention to the
concept of DPO in the context of the Gabon law. Indeed, the position of DPO in the Data Protection Law is not entirely aligned
with the terms in which this position is defined and approached in the General Data Protection Regulation (Regulation (EU)
2016/679) (‘GDPR’). Please note that the Data Protection Law precedes the GDPR and has not since been amended. Rather, the
concept is interpreted, in practice, as a position whereby a person assumes responsibilities on data protection within the company,
and as a potential point of contact with the CNPDCP.
Notwithstanding the above, this position must be a person with the required qualifications to carry out its role, namely
professional qualities, in particular relating to knowledge of law and data protection related matters. If this position exists within
the data controller’s organisation, this must be made known to the CNPDCP.
COLLECTION & PROCESSING
The data processor must present sufficient guarantees to ensure the security and confidentiality of personal data. This
requirement does not relieve the data controller of its obligation to ensure compliance with the measure concerning security and
confidentiality displayed in Chapter V of the Data Protection Law.
The obligations of data controllers include:
Transparency: The data controller must inform the data subject of the terms of processing when the data is not
collected from the data subject. In addition, the data controller must inform the data subject at least before the first
communication and must also guarantee a lawful basis to carry out the processing operation
Confidentiality: The data controller must assure that the processing of personal data is only carried out under his
authority and instructions. In addition, the data controller must guarantee that only individuals who have technical and
legal knowledge regarding the integrity of data, and in this sense the data controller must ensure that the individuals
dealing with personal data has signed a non-disclosure agreement
Security: The data controller is required to take any appropriate precautionary measures in regard to the nature of
personal data, and, in particular, the data controller shall prevent personal data from being distorted, damaged, or
unauthorised access by third parties. In particular, the data controller must:
create different levels of access permissions, on a need-to-know basis depending on the position of its employees,
thus avoiding unauthorised actions;
use encryption or pseudonymisation;
keep a record of who accesses the personal data, when and why, ensuring traceability of its use;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gabon 384 | | | www.dlapiperdataprotection.com
maintain backups in secondary sources to prevent accidental changes or loss of data; and
ensure the identity of the person who wants to access the data or the identity of the parties to whom the data
will be disclosed.
Retention: The data controller must guarantee that the data is kept for no longer than the purpose for which was
collected.
The Data Protection Law expressly provides for limited data controller rights, and in practice provides data controllers with the
right to:
process personal data in the conditions provided for by law;
refuse compliance with unreasonable requests and demands from data subjects; and
appeal any sanctioning decisions by the CNPDCP before the State Counsel.
By contrast, the data subject are entitled to the following rights:
obtain all of their personal data in an understandable form, as well as any available information as to the origin;
oppose, for legitimate reasons, the processing of personal data concerning them;
oppose the processing of their personal data for prospecting purposes;
rectify, complete, update, lock, or delete personal data concerning them, where it is inaccurate, incomplete, equivocal, out
of date, or if collection, use, communication or conservation is prohibited; and
not be subject to decisions made on the sole basis of an automated processing that would produce significant or
detrimental legal repercussions for them.
Interconnection of personal data shall:
not discriminate against or infringe on the fundamental rights, freedoms, and guarantees of holders of the data;
ensure the use of appropriate safety measures; and
take into account the principle of relevance (Articles 89 and sq. of the Law).
TRANSFER
Data transfers to another country are prohibited unless the other country ensures an adequate level of privacy protection and
protection of fundamental rights and freedoms of individuals with regard to the processing operation.
The list of countries that comply with this adequate level of protection shall be published by CNPDCP. As far as we are aware,
this list has not yet been published. However, the Data Protection Law does identify the criteria which must be considered by the
CNPDCP in order to determine adequacy:
the legal provisions existing in the country in question;
the security measures enforced;
the specific circumstances of the processing (such as the purpose and duration thereof); and
the nature, origin, and destination of the data.
As an alternative to the ‘adequacy’ criteria, data controllers may transfer data if:
the data subject has consented expressly to its transfer;
the transfer is necessary to save that person’s life;
the transfer is necessary to safeguard a public interest;
the transfer is necessary to ensure the right of defence in a court of law; or
the transfer is necessary for the performance of a contract between the data subject and the data controller, at the
request of the data subject, or for the performance of a contract between the data controller and a third party in the
interest of the data subject.
Please kindly note that, except in very specific circumstances, the international transfer of non-encrypted personal data for the
purpose of investigation in the health sector is not possible, given the sensitivity of the data at stake.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gabon 385 | | | www.dlapiperdataprotection.com
In relation to outsourcing, the Data Protection Law does not provide for specific provisions, except:
the obligations applicable to the relationship with data processors;
when data processors are located outside the country, the provisions applicable to international data transfers; and
general security obligations, which vary depending on the nature of the data at stake (Article 94 and sq. of the Law).
No references are included to specific concerns regarding, for example, outsourcing to the cloud or to data centres.
SECURITY
Article 66 of the Law states that in order to guarantee the security of personal data, the data controller is required to take all
necessary precautions with regard to the nature of the data and, in particular, to prevent it from being distorted, damaged or
accessed by unauthorized third parties. In particular, he/she shall take all measures to:
guarantee that, for the use of an automated data processing system, authorized persons can only access personal data
within their competence;
guarantee that the identity of third parties to whom personal data may be transmitted can be verified and established;
guarantee that the identity of persons who have had access to the information system and which data have been read or
introduced into the system, at what time and by which person, can be verified and established posteriori;
prevent any unauthorized person from accessing the premises and equipment used for data processing;
prevent data carriers from being read, copied, modified, destroyed or moved by an unauthorized person;
prevent the unauthorized entry of any data into the information system and the unauthorized access, modification or
deletion of stored data;
prevent the use of data processing systems by unauthorized persons using data transmission facilities;
prevent unauthorized reading, copying, modification or deletion of data during data communication and transport of data
carriers;
back up data by making back-up copies;
refresh and, if necessary, convert the data for permanent storage.
No specific requirements other than those set forth in the Law.
BREACH NOTIFICATION
No, there is no general data breach notification requirement. However, this is without prejudice to specific CNPDCP rights to
monitor and control compliance and, in this context, demand information, documentation and other materials in the context of its
supervisory powers.
Mandatory breach notification
No mandatory breach notification protocol is stipulated under Gabonese law.
ENFORCEMENT
As of 22 December 2021, we have not identified any notable enforcement decision issued by the CNPDCP pertaining to the Law.
ELECTRONIC MARKETING
The personal data Act will apply to most electronic marketing activities, as these will involve some use of personal data (eg, an
email address which includes the recipient’s name).
The general rule for electronic marketing is that it requires the express consent of the recipient (see Article 37 of Order
n°00000014/PR/2018 of February 23, 2018 on the regulation of electronic transactions in the Gabonese Republic).
Even when a marketer has the consent of a data subject, that consent can be withdrawn by the data subject under Article 14 of
the Personal Data Act.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gabon 386 | | | www.dlapiperdataprotection.com
The data subject has the right to object at any time to the use of his/her personal data for such marketing under Article 13 of the
Personal Data Act.
This right to object must be explicitly brought to the attention of the data controller.
However, the data controller may not respond favorably to a request to exercise the right to object if it demonstrates the
existence of legitimate reasons justifying the processing, which override the interests, fundamental rights and freedoms of the data
subject.
ONLINE PRIVACY
The Law does not provide any specific rules for governing cookies and location data.
However, pursuant to Article 66 and sq. of the Law, data controller must implement all appropriate technical and organizational
measures to preserve the security and confidentiality of the data, including protecting the data against accidental or unlawful
destruction, accidental loss, alteration, distribution or access by unauthorized persons.
KEY CONTACTS
Geni & Kebe
www.dlapiperafrica.com/senegal
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dr. Sangare Mouhamoud
Associate
Geni & Kebe
T +2250779107541
m.sangare@gsklaw.sn
Dr. Francky Lukanda
Senior Associate
Geni & Kebe
T +2250584344660
f.lukanda@gsklaw.sn
https://www.dlapiperdataprotection.com
https://www.dlapiperafrica.com/senegal
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Georgia 387 | | | www.dlapiperdataprotection.com
GEORGIA
Last modified 22 December 2021
LAW
The Law of Georgia On Personal Data Protection (N5669-RS, 28/12/2011) (‘ ’).PDP Law
DEFINITIONS
Definition of Personal Data
Personal data: any information connected to an identified or identifiable natural person. A person is identifiable when he/she
may be identified directly or indirectly, in particular by an identification number or by any physical, physiological, psychological,
economic, cultural, or social features specific to this person.
Definition of Sensitive Personal Data
Special category data: data connected to a person’s racial or ethnic origin, political views, religious or philosophical beliefs,
membership of professional organisations, state of health, sexual life, criminal history, administrative detention, putting a person
under restraint, plea bargains, abatement, recognition as a victim of crime or as a person affected, also biometric and genetic data
that allow to identify a natural person by the above features.
Biometric data: Any physical, mental, or behavioural feature which is unique and constant for each natural person and which can
be used to identify this person (fingerprints, footprints, iris, retina (retinal image), facial features).
Genetic data: Unique and constant data of a data subject relating to genetic inheritance and/or DNA code that makes it possible
to identify them.
NATIONAL DATA PROTECTION AUTHORITY
State Inspector Service (‘State Inspector’).
www.personaldata.ge
REGISTRATION
With certain exceptions (discussed below), there is no requirement under PDP Law to notify or register before processing
personal data.
The registration requirement applies to the databases. According to the PDP Law, a database is any structured set of personal data
where data is arranged and can be accessed based on certain criteria. The PDP Law uses the term filing system to denote a
database. For example, a customer database or a registry of employees and clients that is subject to processing may qualify as a
filing system.
https://www.dlapiperdataprotection.com
https://www.personaldata.ge/en
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Georgia 388 | | | www.dlapiperdataprotection.com
The data controller is obliged to have a catalogue on each filing system that provides a detailed description of the filing system’s
structure and content.
According to the PDP Law, before creating a filing system and entering in any new category of data, a data controller shall notify
the State Inspector and register the following information about the filing system:
The name;
The names and addresses of a data controller and a data processor;
The place of storing or processing of data;
The legal grounds for data processing;
The category or categories of data subjects;
The data category or categories in a filing system;
The purpose of data processing;
The period of data storage;
The facts and grounds for restriction (if any) of any data subject rights;
The recipient of data stored in a filing system, and their categories;
Information on any cross-border data transfer and transmission of data to international organisation and the legal grounds
for the transfer;
A general description of the procedure established to ensure data safety.
The data controller shall regularly update the filing system catalogue and notify the Inspector about any alteration made to the
information, no later than 30 days after the alteration.
The notification requirement also applies to cross-border data transfer and a private organisation’s processing of a biometric data.
Before using the biometric data, a data controller must provide the State Inspector with the same information that is provided to
the data subject, specifically the purpose of data processing and the security measures taken to protect the data.
DATA PROTECTION OFFICERS
None.
COLLECTION & PROCESSING
The following minimum requirements must be met when collecting or otherwise processing the personal data:
A proper legal ground (for example, a data subject’s consent) exists to process the data;
The personal data is processed for specific, clearly defined, and legitimate purposes;
The personal data is processed only to the extent necessary for legitimate purposes;
The personal data is adequate and proportionate to the purpose or purposes for which it was collected and processed;
The data is kept only for the period necessary to achieve the processing’s purpose;
The data controller or data processor takes technical and organisational security measures to ensure the protection of
personal data against accidental or illegal destruction, modification, disclosure, access, and any other form of illegal use or
accidental or illegal loss;
The security measures implemented are appropriate to the risks related to the data processing.
TRANSFER
Transfer of personal data outside Georgia is admissible without a separate authorisation from the State Inspector if one of the two
following conditions apply:
A respective legal ground for data processing exists and the proper standards for the safety of data are secured in the
relevant country. The State Inspector has approved the list of such countries;
The processing of data is stipulated under an international agreement between Georgia and the relevant country;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Georgia 389 | | | www.dlapiperdataprotection.com
However, the general data processing rules will still apply, including securing a necessary legal ground such as the data subject’s
consent and the requirements of proportionality and necessity.
If neither of these conditions apply, then there should be a formal written agreement between the transferor and the data’s
recipient under which the data’s recipient shall commit to ensure proper guarantees to protect the data. In this case, the State
Inspector must be presented with such agreement and other relevant information or documents for data transfer approval.
SECURITY
A data processor must implement technical and organisational security measures to ensure the protection of personal data against
accidental or illegal destruction, modification, disclosure, access, and any other form of illegal use or accidental or illegal loss. The
security measures implemented must be appropriate to the risks related to the data processing.
A record must be kept of all data processing activities carried out on personal data stored in electronic form. A record must also
be kept of any disclosure or modification of personal data contained in non-electronic form.
Employees of a data controller or a data processor who are involved in data processing must not act beyond the scope of the
powers conferred upon them. Employees must be bound to protect confidentiality of the personal data, including after termination
of their official duties.
BREACH NOTIFICATION
None.
ENFORCEMENT
The State Inspector has power to carry out inspections of any data controller and data processor on its own initiative or based on
complaints received from data subjects.
The State Inspector may order:
Temporary or permanent termination of data processing;
The blocking, destruction, or depersonalisation of personal data;
The termination of transfer;
An issuance of administrative fines.
The State Inspector also has a duty to report any violations of a criminal nature to the competent authority. The liability for
violation of the data privacy can be criminal, administrative or civil.
Criminal liability: a fine, correction labour, imprisonment for three years, or all three may result from illegal collection,
retention, use, or dissemination of personal data that caused substantial damage; A legal entity may be imposed a fine, deprivation
of the right to run the business, liquidation and a fine for the same action.
Administrative sanctions: ranging from GEL500 (app. USD 160) to GEL10,000 (app. USD 3200) depending on the type of
violation.
Civil: claims can be brought by individuals, depending on the damage the breach of the PDP Law caused.
ELECTRONIC MARKETING
PDP Law defines direct marketing as offering of goods, services, employment, or temporary work by mail, telephone calls, email,
or any other telecommunication facility.
Consent is not required to process personal data obtained from public sources for direct marketing purposes. The data
permissible to be collected from publicly available sources is limited to: name and surname, telephone number, email, and fax
number.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Georgia 390 | | | www.dlapiperdataprotection.com
However, written consent is required if the data processor wishes to use other types of personal data for direct marketing
purposes.
Individuals are entitled to demand the termination of using their data for direct marketing purposes at any time in the form under
which the direct marketing is conducted.
ONLINE PRIVACY
There is no special regulation with respect to cookies and general rules on data collection and processing applies. Georgian
web-sites routinely ask for cookie consent.
There is no requirement to store data in Georgia. However, rules on cross border data transfer will apply.
KEY CONTACTS
MKD Law
mkdlaw.ge/en
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Baqar Palavandishvili
Lawyer
MKD Law
T +995 32 2553880/81
bpalavandishvili@mkdlaw.ge
https://www.dlapiperdataprotection.com
https://mkdlaw.ge/en
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 391 | | | www.dlapiperdataprotection.com
GERMANY
Last modified 12 January 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
Germany has adjusted the German legal framework to the GDPR by passing the new German Federal Data Protection
Act ( – ‘BDSG’). The BDSG was officially published on July 5, 2017 and came into force togetherBundesdatenschutzgesetz
with the GDPR on May 25, 2018. The purpose of the BDSG is especially to make use of the numerous opening clauses
under the GDPR which enable Member States to specify or even restrict the data processing requirements under the
GDPR.
Find the .English version here
In addition to the BDSG, there exist a number of data protection rules in area-specific laws, for example those regulating
financial trade or the energy sector. Many of these laws have been adapted to the GDPR by the Second Data Protection
Adaptation and Implementation Act EU ( – ‘2. DSAnpUG-EU’),Zweites Datenschutz-Anpassungs- und Umsetzungsgesetz EU
which generally entered into force on November 26, 2019. However, some particularly relevant laws have so far remained
unchanged, most notably the Telemedia Act ( – ‘TMG’), raising questions about the continued applicabilityTelemediengesetz
of the data protection rules contained therein.
https://www.dlapiperdataprotection.com
https://www.gesetze-im-internet.de/englisch_bdsg/index.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 392 | | | www.dlapiperdataprotection.com
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The definitions are the same as in Art. 4 GDPR. Beyond that, the BDSG contains further definitions for ‘public bodies of
the Federation’, ‘public bodies of the Länder’ and ‘private bodies’ in Sec. 2 BDSG.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
CNIL in France or the Garante in Italy). The European Data Protection Board (the replacement for the so-called Article 29
Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the
EU, issuing guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
Germany does not have one central Data Protection Authority but a number of different Authorities for each of the 16
German states ( ) that are responsible for making sure that data protection laws and regulations are complied with.Länder
In addition the German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragte für
– ‘BfDI’) is the Data Protection Authority for telecommunication service providers andDatenschutz und Informationsfreiheit
represents Germany in the European Data Protection Board. To ensure that all the Authorities have the same approach a
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 393 | | | www.dlapiperdataprotection.com
committee consisting of members of all Authorities for the public and the private sector has been established – the ‘Data
Protection Conference’ ( ‘DSK’). The coordination mechanism between the German AuthoritiesDatenschutzkonferenz
mirrors the consistency mechanism under the GDPR.
A list with the contact details and websites of the different can be .found here
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
There are no registration requirements in Germany.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
https://www.dlapiperdataprotection.com
https://www.datenschutzkonferenz-online.de/datenschutzaufsichtsbehoerden.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 394 | | | www.dlapiperdataprotection.com
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
The threshold to designate a Data Protection Officer (DPO) is much lower in the BDSG. The controller and processor
has to designate a DPO if they constantly employ as a rule at least 20 persons dealing with the automated processing of
personal data, Sec. 38 (1) first sentence BDSG. The meaning of ‘automated processing’ is interpreted broadly by the
German Authorities. It basically covers every employee who works with a computer.
If the threshold of 20 persons is not reached, Sec. 38 (1) second sentence BDSG regulates in addition to Art. 37 GDPR,
that a DPO has to be designated in case the controller or processor undertakes processing subject to a data protection
impact assessment pursuant to Art. 35 GDPR, or if they commercially process personal data for the purpose of transfer,
of anonymized transfer or for purposes of market or opinion research.
Furthermore, a dismissal protection for the DPO is provided in Sec. 38 (2) in conjunction with Sec. 6 (4) BDSG. Where
the controller or processor is obliged to appoint a DPO, the dismissal of a DPO who is an employee is only permitted in
case there are facts which give the employing entity just cause to terminate without notice. After the activity as DPO has
ended, a DPO who is an employee may not be terminated for a year following the end of appointment, unless the
employing entity has just cause to terminate without notice.
Additionally, Sec. 38 (2) in conjunction with Sec. 6 (5) and (6) BDSG stipulates that the DPO shall be bound by secrecy
concerning the identity of data subjects and concerning circumstances enabling data subjects to be identified, unless he /
she is released from this obligation by the data subject. Also, the DPO has the right to refuse to give evidence under
certain conditions.
Moreover, the German Authorities require that the DPO speaks the language of the competent Authorities and data
subjects, German, or at least that instant translation is ensured.ie
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 395 | | | www.dlapiperdataprotection.com
basis for processing. The legal bases (also known as lawful bases or lawful grounds) under which personal data may be processed
are (Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 396 | | | www.dlapiperdataprotection.com
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 397 | | | www.dlapiperdataprotection.com
a.
b.
c.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The BDSG has additional rules regarding processing of special categories of personal data. Contrary to Art. 9 (1) GDPR,
processing of such data is permitted by public and private bodies in some cases, see Sec. 22 (1), 26 (3) BDSG. Also, Sec.
24 BDSG determines cases in which controllers are permitted to process data for a purpose other than the one for which
the data were collected.
Sec. 4 BDSG provides a special rule for video surveillance of publicly accessible areas. According to the German DPAs as
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 398 | | | www.dlapiperdataprotection.com
well as the German Federal Administrative Court ( – ‘BVerwG’) and the near unanimous opinionBundesverwaltungsgericht
in German legal literature, the provision is not compliant with the GDPR insofar as it regulates surveillance by private
bodies (Sec. 4 (1) Nbrs. 2, 3 BDSG). This is based on the argument that the GDPR does not contain any opening clause on
which these deviations from Art. 6 (1) GDPR could be based.
Furthermore, the BDSG provides special rules regarding processing for employment-related purposes in Sec. 26 BDSG.
The German legislator has made very broad use of the opening clause in Art. 88 (1) GDPR and has basically established a
specific employee data protection regime. These new rules reflect the current German employee privacy rules which also
has the consequence that a set of case law of the German Federal Labour Court ( – ‘BAG’) will apply.Bundesarbeitsgericht
In case the processing is conducted for employment-related purposes it is subject to Sec. 26 BDSG only and a recourse to
the general legal grounds set out in Article 6 GDPR is blocked. Personal data of employees can only be processed in the
employment context (setting aside some very special cases under the BDSG when it comes to the assessment of the
working capacity of the employee and other handling of special categories data as well as exchange of data with the works
council) in the following cases:
The processing is necessary for hiring decisions or, after hiring, for carrying out or terminating the employment
contract (Sec. 26 (1) sentence 1 BDSG) (please note that the BAG interprets the predecessor provision broader
than Art. 6 (1) (b) GDPR)
Employees’ personal data may be processed to detect criminal offenses only if there is a documented reason to
believe the data subject has committed such an offense while employed, the processing of such data is necessary
to investigate the offense and is not outweighed by the data subject’s legitimate interest in not processing the
data, and in particular the type and extent are not disproportionate to the reason (Sec. 26 (1) sentence 2 BDSG)
The processing is based on a works council agreement which complies with the requirements set out Art. 88
para. 2 GDPR (Sec. 26 (4) BDSG)
The processing is based on the employee’s consent in written or electronic form. A derogation from this form
can apply if a different form is appropriate because of special circumstances (but this derogation will rarely apply in
practice). Moreover, the utilization of consent as basis for the processing is particularly problematic in Germany as
Sec. 26 (2) BDSG stipulates requirements in addition to Art. 7 GDPR. If personal data of employees are processed
on the basis of consent, then the employee’s level of dependence in the employment relationship and the
circumstances under which consent was given shall be taken into account in assessing whether such consent was
freely given. Consent may be freely given in particular if it is associated with a legal or economic advantage for the
employee, or if the employer and employee are pursuing the same interests. The German DPAs interpret this
provision in a way that employee consent cannot be used for processing of personal data which directly relates to
the employment relationship, but only to supplementary services offered by the employer (eg, private use of
company cars or IT equipment, occupational health management or birthday lists).
Notwithstanding, processing of employee personal data for purposes that are not specifically related to employment as
such can still be based on Art. 6 (1) GDPR. In particular, controllers that are part of a group of companies may be able to
base transfers of data within the group for internal administrative purposes on their legitimate interests in accordance
with to Art. 6 (1) f) (as stated by Recital 48 of the GDPR).
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 399 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
a.
b.
c.
d.
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on the condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
The same applies as in Article 44 et seqq. GDPR.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 400 | | | www.dlapiperdataprotection.com
The BDSG has additional rules regarding the processing of special categories of personal data in Sec. 22 (2) BDSG. In case
of processing of such data, appropriate and specific measures have to be taken to safeguard the interests of the data
subject.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of
processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the
processing, these measures may include in particular the following:
technical and organizational measures to ensure that processing complies with the GDPR
measures to ensure that it is subsequently possible to verify and establish whether and by whom personal data
were input, altered or removed
measures to increase awareness of staff involved in processing operations
designation of a data protection officer
restrictions on access to personal data within the controller and by processors
the pseudonymization of personal data
the encryption of personal data
measures to ensure the ability, confidentiality, integrity, availability and resilience of processing systems and
services related to the processing of personal data, including the ability to rapidly restore availability and access in
the event of a physical or technical incident
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures
for ensuring the security of the processing
specific rules of procedure to ensure compliance with this Act and with the GDPR in the event of transfer or
processing for other purposes
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The German BDSG only contains slight changes and additions to the regulations in Art. 33, 34 GDPR.
Sec. 29 (1) BDSG stipulates in addition to the exception in Art. 34 (3) GDPR, the obligation to inform the data subject of
a personal data breach according to Art. 34 GDPR shall not apply as far as meeting this obligation would disclose
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 401 | | | www.dlapiperdataprotection.com
information which by law or by its nature must be kept secret, in particular because of overriding legitimate interests of a
third party. By derogation from this, the data subject pursuant to Article 34 GDPR shall be informed if the interests of the
data subject outweigh the interest in secrecy, in particular taking into account the threat of damage.
According to Sec. 43 (3) BDSG, a notification pursuant to Art. 33 GDPR or a communication pursuant to Article 34 (1)
GDPR may be used in proceedings pursuant to the Act on Regulatory Offences ( –Gesetz über Ordnungswidrigkeiten
‘OWiG’) against the person required to provide a notification or a communication only with the consent of the person
obligated to provide a notification or a communication.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 402 | | | www.dlapiperdataprotection.com
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
In October 2019 the German data protection authorities published guidelines for calculating administrative fines against
‘business undertakings’ under Article 83 GDPR. The guidelines set out a five step methodology which all German DPAs
are expected to follow to secure a ‘comprehensible, transparent and just’ approach when calculating the amount of a
specific fine:
Categorize the undertaking based on annual turnover (for group undertakings, the categorization will be based on
the turnover of the entire group, not just the entity responsible for the infringement);
Determine the average annual turnover (this will be determined by reference the category the undertaking has
been assigned);
Calculate the average daily turnover (so called economic base value);
Multiply the base value by a factor reflecting the seriousness of the infringement;
Apply a modifying factor (if required) to address any wider circumstances associated with the infringement not yet
taken into account.
For more information on the guidelines, please refer to our article in the DLA Piper blog , which gives aPrivacy Matters
comprehensive overview of the five steps and can be found here.
As outlined above, regarding the enforcement the German Authorities declared that they are of the opinion that the fines
will not only be calculated based on the turnover of the specific affected company, but of the entire group of undertakings.
However, whether this interpretation of Art. 83 (4), (5) and (6) GDPR in connection with Recital 150 GDPR is correct is
currently highly disputed in Germany with solid arguments against this broad interpretation. The enforcement of fines is
subject to the Act on Regulatory Offences ( – ‘OWiG’), other sanctions, eg, a temporaryGesetz über Ordnungswidrigkeiten
or definitive limitation or ban on processing, is subject to the rules regarding administrative procedures.
Whether the purely revenue-based guidelines can form the basis for determining a fine is highly disputed. One German
court has already come to the conclusion that this type of fine determination is disproportionate. It is therefore possible
that the guidelines will be reviewed and amended by the German Authorities.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
https://www.dlapiperdataprotection.com
https://blogs.dlapiper.com/privacymatters/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 403 | | | www.dlapiperdataprotection.com
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is likely to be
replaced by a regulation (the so called ePrivacy Regulation), but it is currently uncertain when this is going to happen, as the
European Commission has discarded its draft of the ePrivacy Regulation after disagreements by the Member States in the Council
of the European Union. In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will
be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy
Directive will be replaced with the GDPR standard for consent.
In general, unsolicited electronic marketing requires prior opt-in consent. The opt-in requirement is waived under the ‘same
service / product’ exemption. The exemption concerns marketing emails related to the same products/services as previously
purchased from the sender by the user provided that:
the user has been informed of the right to opt-out prior to the first marketing email
the user did not opt-out, and
the user is informed of the right to opt-out of any marketing email received. The exemption applies to electronic
communication such as electronic text messages and email but does not apply with respect to communications sent by
fax.
Direct marketing emails must not disguise or conceal the identity of the sender.
Like the GDPR, the German BDSG also does not provide for any specific provisions regarding marketing. The use of
electronic communication for the purpose of direct marketing as currently regulated in ePrivacy Directive has been
transposed into German law and is implemented in Sec. 7 of the German Act Against Unfair Competition (Gesetz gegen
– ‘UWG’) As emphasized by the German Authorities (in their guidelines on direct marketing),den unlauteren Wettbewerb
processing of personal data for the purpose of marketing communication which is in breach of Sec. 7 UWG also
constitutes a breach of the GDPR as it does not follow a legitimate purpose.
When using electronic communication for direct marketing, prior consent is generally required, cf. Sec. 7 (2) no. 1, 2
UWG, the standard for this being the so-called Double Opt-In process. According to Article 6 (1) a) GDPR as well as
according to established German case law, data subjects must always give consent for a specific processing purpose. This
means that the person to be contacted needs to know (1) from whom (meaning which specific entity or entities) and (2)
for which specific products and services he / she will receive marketing offers.
The German lawmaker has also transposed the ‘same service / product’ exemption into Sec. 7 UWG. Based on Sec. 7 (3)
UWG, direct marketing can be based on the exemption if the following prerequisites are met:
the recipients electronic mail address was obtained from the sender in connection with the sale of goods or
services;
the sender uses the address for direct advertising of his own similar goods or services (no cross-selling
permitted);
the recipient has not objected to this use; and
the recipient is clearly and unequivocally advised, upon the collection of the address as well as each time it is used,
that he or she can object to such use at any time, without costs arising by virtue thereof, other than transmission
costs pursuant to the basic rates.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 404 | | | www.dlapiperdataprotection.com
ONLINE PRIVACY
The General Data Protection Regulation (GDPR) supersedes national data protection law unless there is an opening clause
constituted under GDPR. Due to Art. 95 GDPR this is the case for national data protection law that was created to implement
the Directive on privacy and electronic communication (Directive 2002/58/EC; “ePrivacy Directive”).
The German legislator created national data protection regulations for providers of telecommunication services within the
German Telecommunications Act ( TKG) and for providers of certain electronic information andTelekommunikationsgesetz –
communication services (e.g. website operators) within the German Telemedia Act ( TMG). However, theTelemediengesetz –
German legislator exceeded the requirements of the ePrivacy Directive with the data protection law included within the TKG in
certain cases. Therefore, some sections of the TKG are not applicable in part and some not at all; in such cases GDPR applies
accordingly (e.g. regarding data subject’s rights).
With regard to the TMG it is currently unclear, to what extent the sections related to data protection law of the TMG are still
applicable under the GDPR. While the German Data Protection Authorities have jointly expressed the view that the data
protection law included in the TMG was not created to implement the ePrivacy Directive and that solely GDPR would be
applicable, the German Federal Court of Justice ( – ‘BGH’) has ruled that Sec. 15 (3) TMG (dealing with the use ofBundesgerichtshof
cookies and similar technologies) is still applicable (see below).
The German lawmaker is currently working on an amendment of the data protection rules under both the TKG and the TMG.
Cookie compliance
Until 28 May 2020, the legal requirements with regard to the use of cookies were unclear in Germany. Prior to that, it was
disputed whether there was any consent requirement for cookies at all, as the respective provisions of the ePrivacy Directive have
never been transposed into German law (the German data protection authorities jointly confirmed this view in a joint paper
published in March 2019 that this is not the case). However, on 28 May 2020, the BGH has ruled that Sec. 15 (3) TMG (which
technically only provides for an opt-out requirement regarding the use of cookies) is to be construed as a requirement for cookie
consent in the meaning of the ePrivacy Directive. Therefore, cookie consent is now a requirement in Germany as well.
In addition to that, the German data protection authorities have long been of the opinion that the processing of personal data
enabled by the cookies used for analysis and tracking tools regularly requires consent, in particular if the tools allow third parties
to collect data from website users as (joint) controllers. It remains to be seen whether this position will be upheld by the BGH or
another superior German court.
Traffic data
Lawful processing of traffic data requires an explicit legal basis under the TKG and may only take place for purposes constituted
therein or justified by other legal provisions. Providers of publicly available telecommunication services have to take the technical
precautions and actions necessary to protect personal data; in this context the state of the art must be observed. In addition, the
service providers are required to protect the secrecy of telecommunications.
Providers of publicly available telecommunication services may process traffic data for the establishment and maintaining of a
telecommunications connection, remuneration inquiry and billing, fraud prevention as well as detection and remedy of disruptions
regarding telecommunications systems and tracing of malicious or nuisance calls. Processing of traffic data for marketing purposes,
need-based design of telecommunication services and provision of value-added services requires consent.
Generally, traffic data shall be deleted by the service provider without undue delay after termination of each telecommunications
connection or as soon as the data are no longer necessary in relation to the purpose for which they are otherwise being
processed. However, data may and must be stored in case statutory retention periods under the TKG or other law apply.
Service providers shall notify the users without undue delay, if any faults of data processing systems of the users become known.
As far as technically possible and reasonable the service provider has to inform the users about adequate, effective and accessible
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Germany 405 | | | www.dlapiperdataprotection.com
measures for detecting and rectifying such faults.
Location data
Publicly available telecommunication services may only process location data for the purpose of providing value-added services in
case the data are rendered anonymous or processing is based on consent.
Consent can be withdrawn at any time and where consent was given to the processing of location data, it must be possible, by
simple means and free of charge, to temporarily prohibit the processing of such data for each connection to the network or for
each transmission of a message.
The processing of location data in other contexts than telecommunication services (like for example GPS tracking) is subject to
GDPR.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Verena Grentzenberg
Partner
T +49 40 188 88 203
verena.grentzenberg@dlapiper.com
Dr. Jan Geert Meents
Partner
T +49 89 23 23 72 130
jan.meents@dlapiper.com
Jan Pohle
Partner
T +49 221 277 277 391
jan.pohle@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ghana 406 | | | www.dlapiperdataprotection.com
GHANA
Last modified 10 January 2022
LAW
The primary legislation governing privacy / data protection in Ghana is the Data Protection Act, 2012 (Act 843).
Other laws, examples of which are set out below, contain some privacy/data protection provisions:
1992 Constitution
Article 18(2) provides citizens with a fundamental right to privacy. The Article provides that “no person shall be subjected to
interference with the privacy of his home, property, correspondence or communication except in accordance with law and as may be
necessary in a free and democratic society for public safety or the economic well-being of the country, for the protection of health or morals,
for the prevention of disorder or crime or for the protection of the rights or freedoms of others.”
Electronic Communications Act, 2008 (Act 775)
A network operator or a service provider who is a holder of a Class Licence shall not use or permit another person to use or
disclose confidential, personal or proprietary information of a user, another network operator or service provider without lawful
authority unless the use or disclosure is necessary for the operation of the network or service, the billing and collection of
charges, the protection of the rights or property of the operator or provider, or the protection of the users or other network
operators or service providers from the fraudulent use of the network or service.
A person who intentionally uses or discloses personal information in contravention of the Act commits an offence and is liable
on summary conviction to a fine of not more than one thousand five hundred penalty units or to a term of imprisonment of not
more than four years or both.
Act 775 defines a Class Licence as “a licence, other than an individual licence, granted on the same terms to each applicant in respect to a
class of electronic communications networks or services or radio-communication services.”
Electronic Communications Regulations, 2011 (L.I. 1991)
The principle of privacy and secrecy in electronic communications applies to the National Communications Authority, operators
of electronic communications networks and providers of electronic communications services.
The operator is required to comply with international best practices in the industry to promote privacy, secrecy and security of
communications carried or transmitted by the operator or through the communications system of the operator, and the personal
and accounts data related to subscribers.
Credit Reporting Act, 2007 (Act 726)
The Bank of Ghana has the overall supervisory and regulatory authority under the Act to: (a) register, license and regulate
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ghana 407 | | | www.dlapiperdataprotection.com
bureaus, data providers and credit information recipients and their agents; and (b) control and supervise activities of the credit
bureaus, data providers, credit information recipients and their agents.
The Act requires the recipient of a credit report to keep such report confidential while ensuring that the information contained in
it is used solely for its specified purpose. A credit bureau, data provider or credit information recipient is required to observe the
principles of: (a) equality of credit information subjects; (b) confidentiality of information; (c) non-interference in the private life of
citizens; (d) respect for the rights, liberties and lawful interests of persons and legal entities; (e) accuracy and transparency of
information; and (f) `privacy and secrecy of communication.
Public Health Act, 2012 (Act 851)
Article 45 of the International Health Regulations (2005) of World Health Organisation Regulations which is annexed to Act 851
as the Seventh Schedule provides that “health information collected or received by a State Party pursuant to these Regulations from
another State Party or from WHO which refers to an identified or identifiable person shall be kept confidential and processed anonymously
as required by national law.”
Children’s Act, 1998 (Act 560)
The purpose of this Act is to reform and consolidate the law relating to children, to provide for the rights of the child,
maintenance and adoption, regulate child labour and apprenticeship, and provide for ancillary matters concerning children
generally.
Act 560 provides that In furtherance of“a child’s right to privacy must be respected throughout the proceedings at a Family Tribunal”.
this, the Act restricts participants to the sittings of the Family Tribunal to persons with an interest in the matter including parents
of the child and officers of the Tribunal.
Act 560 further provides that it is an offence for any person to “publish any information that may lead to the identification of a child in
any matter before a Family Tribunal except with the permission of the Family Tribunal.”
DEFINITIONS
Data means information which (a) is processed by means of equipment operating automatically in response to
instructions given for that purpose, (b) is recorded with the intention that it should be processed by means of such
equipment, (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant
filing system, or (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record.
Data controller means a person who either alone, jointly with other persons or in common with other persons or as a
statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed.
Data processor in relation to personal data means any person other than an employee of the data controller who
processes the data on behalf of the data controller
Data subject means an individual who is the subject of personal data.
Data supervisor means a professional appointed by a data controller in accordance with section 58 to monitor the
compliance by the data controller in accordance with the provisions of the Act.
Processing means an operation or activity or set of operations by automatic or other means that concerns data or
personal data and the:
collection, organisation, adaptation or alteration of the information or data;
retrieval, consultation or use of the information or data;
disclosure of the information or data by transmission, dissemination or other means available, or
alignment, combination, blocking, erasure or destruction of the information or data.
Definition sensitive personal data
The Data Protection Act does not make provision for ‘sensitive personal data’. However ‘special personal data’, is defined as
personal data which relates to:
the race, colour, ethnic or tribal origin of the data subject;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ghana 408 | | | www.dlapiperdataprotection.com
the political opinion of the data subject;
the religious beliefs or other beliefs of a similar nature, of the data subject;
the physical, medical, mental health or mental condition or DNA of the data subject;
the sexual orientation of the data subject;
the commission or alleged commission of an offence by the individual; or
proceedings for an offence committed or alleged to have been committed by the individual, the disposal of such
proceedings or the sentence of any court in the proceedings.
NATIONAL DATA PROTECTION AUTHORITY
Data Protection Commission (‘Commission’)
Pawpaw Street
East Legon
Accra
Ghana
GPS: GA-414-1469
P.O. Box CT7195
Accra
Ghana
Tel: +233-(0)30 2222 929
Email: info@dataprotection.org.gh
REGISTRATION
A data controller who intends to process personal data is required to register with the Data Protection Commission. A data
controller who is not incorporated in Ghana must register as an external company.
Upon registration, a data controller is issued a Certificate of Registration which is valid for two (2) years and must be renewed
thereafter. The Data Protection Commission also maintains an online public search register of registered data controllers, which
shows the status of the entity with the Commission as well as the expiry date of its current registration.
DATA PROTECTION OFFICERS
There is an obligation under the Act for data controllers to appoint data protection officers.
COLLECTION & PROCESSING
A person shall collect data directly from the data subject unless:
the data is contained in a public record
the data subject has deliberately made the data public
the data subject has consented to the collection of the information from another source
the collection of the data from another source is unlikely to prejudice a legitimate interest of the data subject
the collection of the data from another source is necessary for a number of expressly designated purposes (for example
the detection or punishment of an offence or breach of law)
compliance would prejudice a lawful purpose for the collection
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ghana 409 | | | www.dlapiperdataprotection.com
compliance is not reasonably practicable.
A data controller must also ensure that the data subject is aware of:
the nature of the data being collected
the name and address of the person responsible for the collection
the purpose for which the data is required for collection
whether or not the supply of the data by the data subject is discretionary or mandatory
the consequences of failure to provide the data
the authorized requirement for the collection of the information or the requirement by law for its collection
the recipient of the data
the nature or category of the data
the existence of the right of access to and the right to request rectification of the data collected before the collection.
Where collection is carried out by a third party on behalf of the data controller, the third party must ensure that the data subject
has the information listed above.
TRANSFER
There are no specific provisions in the Act on the transfer of personal data. However, the sale, purchase, knowing or reckless
disclosure of personal data or information is prohibited.
A person who knowingly or recklessly discloses personal data is liable on summary conviction to a fine of not more than 250
penalty units or to a term of imprisonment of not more than 2 years or to both. A person who sells or offers for sale personal
data is liable on summary conviction to a fine of not more than 2500 penalty units or to a term of imprisonment of not more than
five years or to both a fine and a term of imprisonment.
A penalty unit is equivalent to GHS 12 (approximately USD 2.20).
SECURITY
A person who processes data shall take into account the privacy of the individual by applying the data security safeguards.
A data controller has an obligation to ensure that a data processor who processes personal data for the data controller,
establishes and complies with the security measures provided for under the Act.
BREACH NOTIFICATION
Where there are reasonable grounds to believe that the personal data of a data subject has been accessed or acquired by an
unauthorised person, the data controller or a third party who processes data under the authority of the data controller shall
notify the Commission and the data subject of the unauthorised access or acquisition as soon as reasonably practicable after the
discovery of the unauthorised access or acquisition of the data. The data controller shall take steps to ensure the restoration of
the integrity of the information system.
The data controller shall delay the notification to the data subject where the security agencies or the Data Protection Commission
inform the data controller that the notification will impede a criminal investigation.
ENFORCEMENT
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ghana 410 | | | www.dlapiperdataprotection.com
Where the Commission is satisfied that a data controller has contravened or is contravening any of the data protection principles,
the Commission shall serve the data controller with an enforcement notice to require the data controller to do any of the
following:
to take or refrain from taking the steps specified within the time stated in the notice;
to refrain from processing any personal data or personal data of a description specified in the notice;
to refrain from processing personal data or personal data of a description specified in the notice for the purposes specified
or in the manner specified after the time specified.
A person who fails to comply with an enforcement notice commits an offence and is liable on summary conviction to a fine of not
more than one hundred and fifty penalty units or to a term of imprisonment of not more than one year or to both. A penalty unit
is equivalent to GHS 12 (approximately USD 2.20).
Further, an individual who suffers damage or distress through the contravention of the data protection obligations by a data
controller is entitled to compensation from the data controller for the damage or distress notice.
In October 2020, the Data Protection Commission announced its implementation of an Enhanced Registration and Compliance
Software to streamline the registration and renewal process for Data Controllers. There was also announced an extension of the
transitional period under the Act during which existing Data Controllers were required to register with the Commission by six
months (from 1st of October 2020 to 31st March 2021). During this period, it is reported that defaulting Data Controllers will be
required to pay only the current year’s registration fee, with all fees for previous years (up to 2012) in which they were to register
but defaulted, waived. Pursuant to the Act however, such extensions of the transitional period are required to be made by a
Legislative Instrument, however our checks show that no Legislative Instrument has been passed for this purpose.
ELECTRONIC MARKETING
The Act prohibits a data controller from using, obtaining, procuring or providing information related to a data subject for the
purpose of direct marketing without the prior written consent of the data subject. However, there are no specific provisions that
relate to electronic marketing specifically.
ONLINE PRIVACY
There are no specific provisions in relation to on-line privacy. However, a data controller is generally required to take necessary
steps to secure the integrity of personal data in the possession or control of a person through the adoption of appropriate,
reasonable, technical and organizational measures.
KEY CONTACTS
Reindorf Chambers
www.reindorfchambers.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Kizzita Mensah
Partner
Reindorf Chambers
T +233 302 225 674
kizzita.mensah@reindorfchambers.com
https://www.dlapiperdataprotection.com
http://www.reindorfchambers.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ghana 411 | | | www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 412 | | | www.dlapiperdataprotection.com
GIBRALTAR
Last modified 22 January 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on
25 May 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
(Article 3(2)(a)) (no payment is required) to such data subjects in the EU or offering of goods or services” “the monitoring of their
(Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour”
The GDPR entered into force in Gibraltar on 25 May 2018 because at the time Gibraltar was a territory within the European
Union (by virtue of the accession of the United Kingdom on 1 January 1973). As such, Regulations were directly applicable in
Gibraltar.
Gibraltar ceased to become a territory within the European Union on 31 January 2020 when the UK left on that date. However,
the EU – UK Withdrawal Treaty provides for a transition period lasting until the end of 2020 (unless extended by joint
agreement). During the transition period, EU law (including the GDPR) continues to apply directly to Gibraltar, and Gibraltar will
be treated as if it were a territory within the European Union for the purposes of that law. Following the end of the transition
period, subject to the terms of any future trade agreement reached between the EU and the UK, EU law will cease to apply in
Gibraltar. The Gibraltar Government will implement the GDPR into Gibraltar national law (creating the “Gibraltar GDPR”),
subject to a number of technical changes (e.g. to amend references to “Gibraltar” and the fact that Gibraltar is no longer a
territory within the European Union) made under the Data Protection, Privacy and Electronic Communications (Amendments etc)
(EU Exit) Regulations 2019.
Alongside the GDPR, on 25 May 2018 Gibraltar modified its existing Data Protection Act 2004 in order to supplement the GDPR
(“DPA04”). As well as containing derogations and exemptions from the position under the GDPR in certain permitted areas, the
DPA04 also does the following:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 413 | | | www.dlapiperdataprotection.com
Part III of the DPA04 transposes the Law Enforcement Directive ((EU) 2016/680) into Gibraltar law, creating a data
protection regime specifically for law enforcement personal data processing; and
Parts V and VI set out the scope of the Data Protection Commissioner’s mandate and his enforcement powers, and
creates a number of criminal offences relating to personal data processing.
DEFINITIONS
Definition of personal data
“Personal data” is defined as (Article 4). A low bar is set for”any information relating to an identified or identifiable natural person”
“identifiable” – if the natural person can be identified using (Recital 26) the information is“all means reasonably likely to be used”
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
(Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data” “processes
acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller”,
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
“Public authority” and “public body” are expressions used in the GDPR. For the purposes of Gibraltar, the DPA04 defines them in
S.9.
The DPA04 also clarifies that, where the purpose and means of processing are determined by an enactment of law, then the
person on whom the obligation to process the data is imposed by the enactment is the controller.
Definition of sensitive personal data
Definition of personal data
Any information relating to a Data Subject; and a Data Subject means a natural person who is the subject of Personal Data.
Definition of special category personal data
Information about racial or ethnic origin, religious or philosophical beliefs, trade union membership, health or sex life. The DPA04
also includes a definition on criminal convictions and offences data to include personal data relating to the alleged commission of
any offence and information on any proceedings for offences or alleged offences, the disposal of such proceedings and any
sentence given.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
ICO in the UK and the Gibraltar Regulatory Authority in Gibraltar). The European Data Protection Board (the replacement for
the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of
the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 414 | | | www.dlapiperdataprotection.com
The GDPR creates the concept of Where there is cross-border processing of personal data (i.e.”lead supervisory authority”.
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The Gibraltar Data Protection Commissioner (whose functions are discharged through the Gibraltar Regulatory Authority
(“GRA”)) is the supervisory authority for Gibraltar for the purposes of art. 51 of the GDPR. Once the UK GDPR applies, the
GRA will no longer be a competent supervisory authority for the purposes of the EU GDPR. The Gibraltar GDPR also omits
Chapter 7 (Cooperation and Consistency) of the EU GDPR, on the basis that Gibraltar will not be part of the EU’s cooperation
and consistency mechanisms.
The GRA’s contact details are:
Data Protection Commissioner
Gibraltar Regulatory Authority
Suite 603 Europort
Gibraltar
T 200 74636
F 200 72166
info@gra.gi
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
In accordance with the position advocated by recital 89 of the GDPR, Gibraltar’s system of general registration for controllers was
abolished on 25 May 2018.
There remains however the obligation register Data Protection Officers with the GRA although no fee is required.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 415 | | | www.dlapiperdataprotection.com
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have (Article 37(5)) of data protection law and practices, though it is possible to outsource the”expert knowledge”
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
(Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data”
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organisations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be , and must be”freely given, specific, informed and unambiguous”
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 416 | | | www.dlapiperdataprotection.com
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorised by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – i.e. use data collected for one purpose for a new purpose which
was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle
of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 417 | | | www.dlapiperdataprotection.com
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 418 | | | www.dlapiperdataprotection.com
a.
b.
c.
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
is only permitted where: affects him or her”
necessary for entering into or performing a contract;
authorised by EU or Member State law; or
the data subject has given their explicit (i.e. opt-in) consent.
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Special categories of personal data (Article 9)
Article 9(2) of the GDPR provides for a number of exceptions under which special categories of personal data may lawfully be
processed. Certain of these exceptions require a basis in Member State law. Parts 1 and 2 of Schedule 1 to the DPA04 provide a
number of such bases, in the form of ‘conditions’, which in effect provide Gibraltar specific gateways to legalise the processing of
certain types of special category data. Many of these conditions are familiar from the previous Gibraltar law, whilst other are new.
Important examples include:
processing required for employment law;
heath and social care;
equality of opportunity or treatment;
public interest journalism;
fraud prevention;
preventing / detecting unlawful acts (eg money laundering / terrorist financing);
insurance; and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 419 | | | www.dlapiperdataprotection.com
occupational pensions.
Criminal convictions and offences data (Article 10)
The processing of criminal conviction or offences data is prohibited by Article 10 of the GDPR, except where specifically
authorised under relevant member state law. Part 3 of Schedule 1 of the DPA04 authorises a controller to process criminal
conviction or offences data where the processing is necessary for a purpose which meets one of the conditions in Parts 2 of
Schedule 1 (this covers the conditions noted above other than processing for employment law, health and social care), as well as
number of other specific conditions:
consent;
the protection of a data subject’s vital interests; and
the establishment, exercising or defence of legal rights, the obtaining of legal advice and the conduct of legal proceedings
Appropriate policy and additional safeguards
In any case where a controller wishes to rely on one of the DPA04 conditions to lawfully process special category, criminal
conviction or offences data, the DPA04 imposes a separate requirement to have an appropriate policy document in place and
apply additional safeguards to justify the processing activity. The purpose of the policy document is to set out how the controller
intends to comply with each of the data protection principles in Article 5 of the GDPR in relation to this more sensitive
processing data activity.
Child’s consent to information society services (Article 8)
Article 8(1) of the GDPR stipulates that a child may only provide their own consent to processing in respect of information
society (primarily, online) services, where that child is over 16 years of age, unless member state law applies a lower age. The
DPA04 reduces the age of consent for these purposes to 13 years for Gibraltar.
Automated Decision Making (Article 22)
Article 22(2)(b) of the GDPR allows member states to authorise automated decision making in local law, subject to
additional safeguards, for purposes beyond the two permitted gateways already set out in Article 22(2) of the GDPR (ie,
explicit consent, or necessity for entering into or performance of a contract with the data controller).
The DPA04 takes advantage of this provision to enable automated decision making where the automated decision is
accompanied by the sending of a specific notice to the data subject which provides them with a one month period to
request the controller to (i) reconsider the decision, or (ii) take a new decision that is not based solely on automated
processing.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules and the use of standard contractual clauses. The GDPR
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 420 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
a.
b.
c.
d.
has removed the need which existed in some Member States under the previous law to notify and in some cases seek prior
approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
Once the transition period under the EU – UK Withdrawal Treaty ends, Gibraltar will become a third country for the purposes of
Chapter V of the GDPR. It is possible that Gibraltar will achieve an adequacy decision to coincide with that date. However, in the
absence of an adequacy decision, alternative safeguards would technically be required to transfer personal data from the EU into
Gibraltar.
Under the Gibraltar GDPR, Gibraltar has chosen to roll over the EU’s adequacy decisions regarding third countries and to treat
EEA states and the United Kingdom as adequate on a temporary basis. However, Gibraltar will have the power to make its own
adequacy decisions, and will in time reassess adequacy in respect of existing EU whitelisted jurisdictions and the EEA states
themselves.
SECURITY
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 421 | | | www.dlapiperdataprotection.com
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
(Article 4).data transmitted, stored or otherwise processed”
Mandatory breach notification
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
Personal data breaches should be notified to GRA as Gibraltar’s supervisory authority. Breaches must be reported to the GRA
using their Data Breach Notification Form available on their website and sent by email to .dpbreach@gra.gi
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 422 | | | www.dlapiperdataprotection.com
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
The DPA04 sets out the specific enforcement powers provided to the GRA pursuant to Article 58 of the GDPR, including:
information notices – requiring the controller or processor to provide the GRA with information;
assessment notices – permitting the GRA to carry out an assessment of compliance;
enforcement notices – requiring the controller or processor to take, or refrain from taking, certain steps; and
penalty notices – administrative fines.
The GRA has the power to conduct a consensual audit of a controller or a processor, to assess whether that organisation is
complying with good practice in respect of its processing of personal data.
Under Schedule 15 of the DPA04 the GRA also has powers of entry and inspection. These will be exercised pursuant to judicial
warrant and will allow the GRA to enter premises and seize materials.
The DPA04 creates two new criminal offences in Gibraltar law: the re-identification of de-identified personal data without the
consent of the controller and the alteration of personal data to prevent disclosure following a subject access request under Article
15 of the GDPR. The DPA04 retains existing Gibraltar criminal law offences, eg offence of unlawfully obtaining personal data.
The DPA requires the GRA to issue guidance on its approach to enforcement, including guidance about the circumstances in
which it would consider it appropriate to issue a penalty notice, i.e. administrative fine.
The DPA also allows the GRA to publish statutory codes of practice on direct marketing and data sharing.
ELECTRONIC MARKETING
The GDPR applies to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address
which includes the recipient’s name). The most plausible legal bases for electronic marketing is consent, or the legitimate interests
of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the strict
standards for consent under the GDPR are to be noted, and marketing consent forms invariably need to incorporate clearly
worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely the
acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 423 | | | www.dlapiperdataprotection.com
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, there is still no certainty when this is going to happen.
In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with
references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive have been
replaced with the GDPR standard for consent.
In Gibraltar, the ePrivacy Directive was transposed into local law by the Communications (Personal Data and Privacy) Regulations
2006 (the Regulations).
The Regulations apply to most electronic marketing activities. The Regulations do not prohibit the use of personal data for the
purposes of electronic marketing but provides individuals with the right to ‘opt-out’ for direct marketing purposes.
There are a number of different opt-out schemes/preference registers for different media types. Individuals (and, in some cases,
corporate subscribers) can contact these schemes and ask to be registered as not wishing to receive direct marketing material. If
advertising materials are sent to a person on the list, sanctions can be levied by the GRA.
The Regulations also prohibit the use of automated calling systems without the consent of the recipient and the use of unsolicited
electronic communications (ie by email or SMS text) for direct marketing purposes is also prohibited without prior consent from
the consumer unless:
the consumer has provided their relevant contact details in the course of purchasing a product or service from the person
proposing to undertake the marketing
the marketing relates to offering a similar product or service, and
the consumer was given a means to readily ‘opt out’ of use for direct marketing purposes both at the original point where
their details were collected and in each subsequent marketing communication.
Each direct marketing communication must not disguise or conceal the identity of the sender and include the ‘unsubscribe’ feature
referred to above.
The restrictions on marketing by email / SMS only applies in relation to individuals and not where marketing to corporate
subscribers.
ONLINE PRIVACY
The Communications (Personal Data and Privacy) Regulations 2006 (the Regulations) deal with the collection of location and
traffic data by public electronic communications providers (‘CPs’) and the use of cookies (and similar technologies).
Traffic Data
Traffic Data held by a CP must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a
communication. However, Traffic Data can be retained if:
it is being used to provide a value added service, and
consent has been given for the retention of the Traffic Data.
Traffic Data can only be processed by a CP for:
the management of billing or traffic
dealing with customer enquiries
the prevention of fraud
the marketing of electronic communications services, or
the provision of a value added service.
Location Data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Gibraltar 424 | | | www.dlapiperdataprotection.com
Location Data may only be processed for the provision of value added services with consent and where the identity of the user is
anonymised. CPs are also required to take measures and put a policy in place to ensure the security of the personal data they
process.
Cookie Compliance
The use and storage of cookies and similar technologies requires:
clear and comprehensive information, and
consent of the website user.
The GRA’s position is positive action eg via the use of tick box will be required by the user for the installation of cookies and that
pre enabled boxes do not amount to consent. Usual data protection principals of the GDPR also apply.
Note consent is not required for cookies that are used for the sole purpose of carrying out the transmission of a communication
over an electronic communications network or where this is strictly necessary for the provision of a service requested by the
user.
Enforcement of a breach of the Regulations is dealt with by the GRA and if found guilty a fine and or imprisonment may be
imposed. However an individual may also bring an action for damages in the Supreme Court.
KEY CONTACTS
Hassans
www.gibraltarlaw.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Michael Nahon
Partner
T (+350) 200 79000
michael.nahon@hassans.gi
https://www.dlapiperdataprotection.com
http://www.gibraltarlaw.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 425 | | | www.dlapiperdataprotection.com
GREECE
Last modified 22 January 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The Greek Law 4624/2019 “on the Hellenic Data Protection Authority, the implementation of Regulation 2016/679 and
the transposition of Directive 2016/680” (hereinafter the “Law”) (Government Gazette A/137/29.08.2019) was enacted
and entered into force in August 28, 2019. The Law regulates the operation of the Hellenic Data Protection Authority,
introduces GDPR supplementary rules and transposes the Law Enforcement Directive into Greek Law.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 426 | | | www.dlapiperdataprotection.com
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
Definition of supervisory authority
The competent supervisory authority for the territory of Greece is the Hellenic Data Protection Authority (hereinafter
the “HDPA”).
Definitions as per article 4 of the GDPR
Further to the definitions as per article 4 of the GDPR, the Law provides for specific definitions for the notions of public
and private bodies:
‘Public body’ means public authorities, independent and regulatory administrative authorities, legal persons
governed by public law, first and second-level local government authorities with their legal persons and their legal
entities, state-owned or public undertakings and agencies, legal persons governed by private law which are
state-owned or regularly receive at least 50% of their annual budget in the form of state subsidies, or their
administration is designated by the state.
‘Private body’ means any natural or legal person or group of persons without legal personality which does not fall
within the definition of a ‘public body’.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 427 | | | www.dlapiperdataprotection.com
Hellenic Data Protection Authority (HDPA)
Kifissias 1-3, 115 23 Athens, Greece
T: +30-210 6475600
F: +30-210 6475628
Email: contact@dpa.gr
The HDPA is responsible for supervising the implementation and enforcement of data protection Law in Greece.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
There are no registration requirements under Greek Law. Notification and authorization requirements under the former
data protection regime pertaining to the processing of special category data or installation of CCTV systems have been
abolished and replaced by the obligation to hold a record of processing activities and to conduct DPIAs.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 428 | | | www.dlapiperdataprotection.com
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
Further to the relevant GDPR provisions, the Law lays down specific rules on the appointment of DPO by public
authorities. The particularity of Greek law is that public authorities can be considered to be exempted from the obligation
to publish the contact details of the DPO and communicate them to the HDPA for reasons of national security or
confidentiality.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 429 | | | www.dlapiperdataprotection.com
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 430 | | | www.dlapiperdataprotection.com
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 431 | | | www.dlapiperdataprotection.com
a.
b.
c.
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The Law establishes additional purposes in relation to which further processing is allowed.
With regard to public bodies, processing of personal data for a purpose other than that for which they were
collected shall be permitted where such processing is necessary for the performance of the tasks assigned to them
and provided that it is necessary:
for the verification of the information provided by the data subject because there are reasonable grounds
for believing that such information is incorrect;
for the prevention of risks to national security, defense or public security, or for securing tax and customs
revenue;
for the prosecution of criminal offences;
for the prevention of serious harm to the rights of another person;
for the production of official statistics.
With regard to private bodies, processing of personal data by private bodies for a purpose other than that for
which they have been collected shall be permitted, where necessary:
for the prevention of threats to national or public security at the request of a public body; or
for the prosecution of criminal offences; or
for the establishment, exercise or defense of legal claims, unless the interests of the data subject override
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 432 | | | www.dlapiperdataprotection.com
the grounds for the processing of those data.
Data Processing in the Employment context: y virtue of the right conferred by Article 88 of the GDPR, the Law
lays down detailed sector specific rules in respect for data processing in the context of the employment
relationship.
Employee’s personal data can be processed for purposes related to recruitment or the performance of the employment
agreement.
Processing of special categories of personal data for employment-related purposes is allowed (i) if necessary to exercise
rights or comply with legal obligations derived from labor law or social security and social protection law and (ii) the data
controller has no reason to believe that the data subject has an overriding legitimate interest.
Data processing may only exceptionally be based on employee’s consent. Consent may be considered as informed, if the
employer has informed the employee about the processing purpose and the right to revoke his/ her consent. To assess
whether consent is freely given due attention should be paid to the level of dependency of the employee and the
conditions under which consent was granted. Consent can be given also by electronic means and should not be tied to the
employment agreement. Consent to processing of specific categories of data should be given in relation to said data.
The processing of personal data is also permitted on the basis of collective labor agreements.
Data controllers must take appropriate measures to ensure compliance with the processing principles set forth in Article
5 of the GDPR when processing employees’ data.
Video Surveillance by means of CCTV systems in the workplace is permitted only for reasons of safety and security,
provided that employees have been previously informed thereabout. Such data cannot be used for evaluation purposes.
Processing sensitive personal data / consent
Collection and processing of genetic data for health and life insurance purposes is prohibited under Article 23 of
the Law.
By way of derogation from Article 9 para. 1 of the GDPR, the processing of special categories of personal data
within the meaning of Article 9 para. 1 of the GDPR by public and private bodies shall be allowed, if necessary: (a)
for the purpose of exercising the rights arising from the right to social security and social protection, and for
fulfilling the obligations arising therefrom; (b) for the purposes of preventive medicine, for the assessment of the
working capacity of the employee, medical diagnosis, the provision of health or social care or the management of
health or social care systems or pursuant to a contract with a health professional or other person who is subject
to a duty of professional secrecy or supervised by him/her; or (c) for reasons of public interest in the area of
public health, such as protecting against serious cross-border threats to health or ensuring high standards of
quality and safety of health care and of medicinal products or medical devices, in addition to the measures
referred to in the second subparagraph of paragraph 3, the provisions ensuring professional secrecy provided for
in a law or code of conduct must in particular be complied with. It goes without saying that the processing of
special categories of personal data shall be accompanied by the implementation of the appropriate technical and
organisational measures.
By way of derogation from Article 9 para. 1 of the GDPR, the processing of special categories of personal data by
public bodies within the meaning of Article 9 para. 1 of the GDPR shall be allowed, where it is: (a) strictly
necessary for reasons of essential public interest; (b) necessary for the prevention of major threats to national or
public security; or (c) necessary for taking humanitarian action, in which case the interests in the processing
override the interests of the data subject.
Further Processing
With regard, in particular, to public bodies, the processing of special categories of personal data, as referred to in
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 433 | | | www.dlapiperdataprotection.com
Article 9 para. 1 of the GDPR, for a purpose other than that for which they have been collected, shall be
permitted provided that the conditions set out in the paragraph 1 of Art. 24 of Law 4624/2019 are fulfilled and
one of the exemptions provided for in Article 9 para. 2 of the GDPR or Article 22 of Law 4624/2019 applies.
As far as private bodies is concerned, the processing of special categories of personal data, as referred to in
Article 9 para. 1 of the GDPR, for a purpose other than that for which they have been collected, shall be
permitted, provided that the conditions set out in the paragraph 1 of Art. 25 of Law 4624/2019 are fulfilled and
one of the exemptions provided for in Article 9 para. 2 of the GDPR or Article 22 of Law 4624/2019 applies.
Processing and Freedom of Expression and Information: Exercising the discretion under Article 85
GDPR, the Law sets the conditions for data processing that is necessary to uphold the right to freedom of
expression and information and precludes in this case the application of the majority of data controller’s
obligations.
To the extent necessary to reconcile the right to the protection of personal data with the right to freedom of
expression and information, including processing for journalistic purposes and the purposes of academic, artistic
or literary expression, the processing of personal data is allowed where: (a) the data subject has given his or her
explicit consent, (b) it relates to personal data which are manifestly made public by the data subject, (c) the right
to freedom of expression and the right to information override the right to the protection of the data subject’s
personal data, in particular on matters of general interest or where it relates to personal data of public figures,
and (d) where it is limited to what is necessary to ensure freedom of expression and the right to information, in
particular with regard to special categories of personal data, criminal proceedings, convictions and related security
measures, taking into account the right of the data subject to his or her private and family life.
To the extent necessary to reconcile the right to the protection of personal data with the right to freedom of
expression and information, including processing for journalistic purposes and the purposes of academic, artistic
or literary expression, the following shall not apply: (a) Chapter II of the GDPR (principles), except for Article 5,
(b) Chapter III of the GDPR (rights of the data subject), c) Chapter IV of the GDPR (controller and processor),
except for Articles 28, 29 and 32, (d) Chapter V of the GDPR (transfer of personal data to third countries or
international organisations), (e) Chapter VII of the GDPR (cooperation and consistency) and f) Chapter IX of the
GDPR (specific data processing situations)” (Article 28 para. 2 of Law 4624/2019).
Processing for Archiving, Scientific or Historical Research or Statistical Purposes: Having regard to
the margin of discretion under Article 89 of the GDPR, the Law stipulates the security requirements for
processing data for archiving, scientific or historical research or statistical purposes and restricts the scope of data
subject’s rights.
1. By way of derogation from Article 9 para. 1 of the GDPR, special categories of personal data within the
meaning of Article 9 para. 1 of the GDPR shall be processed where it is necessary for archiving purposes in the
public interest. The controller shall have the obligation to take suitable and specific measures to protect the data
subject’s legitimate interests.
In derogation from the provisions of Article 15 of the GDPR the access right of the data subject can be restricted
in whole or in part to data related to it, if exercise of the right could possibly hinder the fulfillment of archiving
purposes in the public interest (as provided in Art. 29 para. 1 of Law 4624/2019), especially in the case that the
archiving material is not kept in relation to the data subject’s name and the exercise of the right would require
disproportionate efforts (Article 29 para. 2 of Law 4624/2019).
In derogation from the provisions of Article 16 of the GDPR the data subject does not have the right of
rectification of inaccurate data, if its exercise could possibly hinder the fulfillment of archiving purposes in the
public interest or the exercise of third parties’ rights (Article 29 para. 3 of Law 4624/2019).
In derogation from the provisions of Articles 18 para. 1 (a) (b) and (d), 20 and 21 of the GDPR, the data subject’s
rights shall be restricted, if these rights could possibly hinder the fulfillment of the specific archiving purposes in
the public interest (as provided in Art. 29 para. 1 of Law 4624/2019) and such limitations are considered as
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 434 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
necessary for the fulfillment of those purposes (Article 29 para. 4 of Law 4624/2019).
2. By way of derogation from Article 9 para. 1 of the GDPR, the processing of special categories of personal data,
within the meaning of Article 9 para. 1 of the GDPR, shall be allowed without the consent of the data subject
where the processing is necessary for scientific or historical research purposes, or for the collection and
maintenance of statistical information, and the interest of the controller is overriding the interest of the data
subject in not having his or her personal data processed. The controller shall have the obligation to take suitable
and specific measures to protect the data subject’s legitimate interests.
By way of derogation form the provisions of Articles 15, 16, 18 and 21 of the GDPR, the rights of the data subject
shall be limited where their exercise is likely to render impossible or seriously impair the achievement of the
objectives referred to in paragraph 1 and where such limitations are deemed to be necessary for their
achievement. For the same reason, the data subject’s right of access provided for in Article 15 of the GDPR shall
not apply where personal data are necessary for scientific purposes and the provision of information would entail
a disproportionate effort (Article 30 para. 2 of Law 4624/2019).
In addition to what is referred to in paragraph 1, special categories of personal data, where processed for the
purposes of paragraph 1 shall, unless it is contrary to the legitimate interest of the data subject, be anonymised as
soon as the scientific or statistical purposes allow. Until then, the characteristics that can be used to match
individual details associated with personal or real situations of an identified or identifiable person must be stored
separately. These characteristics can only be combined with individual details if required for research or statistical
purposes (Article 30 para. 3 of Law 4624/2019).
The controller may publish personal data processed in the context of research, if the data subjects have given
their consent in writing or the publication is necessary for the presentation of the results of the research. In the
latter case, the results shall undergo pseudonymisation prior to being published (Article 30 para. 4 of Law
4624/2019).
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 435 | | | www.dlapiperdataprotection.com
g.
a.
b.
c.
d.
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
he Law does not provide for any additional rules on cross-border data transfers.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
Greek Law does not provide for additional requirements in relation to security measures other than those set forth in the
GDPR. Only with regard to special categories of data, the Law provides an indicative list of the security measures, which
should be taken. More specifically, when processing special categories of personal data, appropriate security measures to
safeguard the data subject’s interests should be adopted. Such measures may include:
Technical and organizational measures to ensure that processing complies with the GDPR.
Measures to verify and establish whether and by which party personal data were fed into, altered or removed.
Data Protection awareness
Data classification and access rights
Designation of a DPO
Pseudonymization of personal data
Encryption of personal data
Measures to restore confidentiality, integrity, availability and resilience of processing systems and services,
including the ability to restore availability and access to data in the event of physical or technical incident
Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 436 | | | www.dlapiperdataprotection.com
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The Law provides for an additional exception from the obligation to communicate data breaches to the data subject under
Article 34 GDPR. Article 33 (5) of the Law provides that in addition to the exception established in Article 34 (3) GDPR,
the obligation to communicate a personal data breach to the data subject does not apply when such notification would
lead to disclosure of information which must be kept confidential by operation of law or due to their nature, unless the
data subject’s interests take precedence.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 437 | | | www.dlapiperdataprotection.com
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
Administrative fines
The HDPA may impose administrative fines in accordance with article 83 para. 4 and 5 of the GDPR. The acts of the DPA
through which administrative fines are imposed, constitute enforceable deeds and shall be served to the data controller,
the data processor or their representatives. Such fines shall be collected according to the Public Income Collection Code.
Penalties
In exercise of the discretionary powers recognized to Member States by Article 84 of the GDPR, the Law stipulates
criminal sanctions which may be applied for unauthorized processing:
Any act of unauthorized data processing (i.e. access, disclosure, destruction or damage collection, recording,
organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction) may
lead to imprisonment of up to 1 year.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 438 | | | www.dlapiperdataprotection.com
If the above mentioned actions relate to special categories of data or data relating to criminal convictions, and
offences or related security measures, they are punishable by imprisonment of up to 1 year and penalty payment
up to 100.000€. Any person who commits the above actions with intent to obtain unlawful advantage or to cause
injury amounting to at least 120.000€, is liable to imprisonment of up to 10 years.
In the event that the above actions threaten democracy or national security, punishment of imprisonment and
penalty payment of up to 300.000€ may be applied.
Right to claim compensation
Further to Article 79 (2) of the GDPR, the Law establishes procedural rules with regard to the venue where civil
proceedings may be initiated. Claims for damages brought by data subjects against data controllers or processors as a
result of a GDPR infringement shall be filed before the civil court of the registered seat of the controller /processor or
the court in whose district the data subject has his/her habitual residence.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State.The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
Electronic marketing is regulated by Law 3471/2006 ‘for the protection of personal data and privacy in electronic communications’
(the ‘Law’), in combination with the general provisions of Law 2472/1997 ‘for the protection of individuals from the processing of
(the ‘Data Protection Act’).personal data’
According to the provisions of article 11 of the Law, data processing for electronic marketing purposes is allowed only upon the
individuals’ prior express consent. The said article prohibits the use of automated calling systems for marketing purposes to
subscribers that have previously declared to the public electronic communications services providers (‘CSPs’) that they do not
wish to receive such calls in general. The CSPs must register these declarations for free on a separate publicly accessible list.
Personal data (such as e-mail addresses) that have been legally obtained in the course of sales of products, provision of services or
any other transaction may be used for electronic marketing purposes, without the receiver’s prior consent thereto, provided that
the receiver of such email has the possibility to ‘opt out’ for free to the collection and processing of his/ her personal data for the
aforementioned purposes.
Direct marketing emails or advertising emails of any kind are absolutely prohibited, when the identity of the sender is disguised or
concealed and also when no valid address, to which the receivers can address requests for the termination of such
communications, is provided.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 439 | | | www.dlapiperdataprotection.com
Electronic marketing is regulated by Greek Law 3471/2006 ‘for the protection of personal data and privacy in electronic
communications’, which transposes Directive 2002/85/EC into Greek Law, in conjunction with the GDPR.
According to the provisions of article 11 of Greek Law 3471/2006, data processing for electronic marketing purposes is
allowed only upon the individuals’ express prior consent. Use of automated calling systems without human intervention
for marketing purposes is prohibited in respect of subscribers that have declared to the public electronic communication
services providers (‘CSPs’) that they do not wish to receive such calls.
Where a natural or legal person obtains from its customers their electronic contact details for electronic mail, in the
context of the sale of a product or a service, the same natural or legal person may use these electronic contact details for
direct marketing of its own similar products or services, without prior consent, provided that customers clearly and
distinctly are given the opportunity to object, free of charge and in an easy manner, to such use of electronic contact
details when they are collected and on the occasion of each message in case the customer has not initially refused such
use.
ONLINE PRIVACY
Articles 4 and 6 of the Law (as amended by Directive 2009/136/EC) deals with the collection of location and traffic data by CSPs
and the use of cookies and similar technologies.
Traffic data
Traffic data of subscribers or users held by a CSP must be erased or anonymized after the termination of a communication, unless
they are retained for one the following reasons:
The billing of subscribers and the payment of interconnections, provided that the subscribers are informed of the
categories of traffic data that are being processed and the duration of processing, which must not exceed 12 months from
the date of the communication (unless the bill is doubtable or unpaid).
Marketing of electronic communications services or value added services, to the extent that traffic data processing is
absolutely necessary and following the subscriber’s or the user’s prior express consent thereto, after his / her notification
regarding the categories of traffic data that are being processed and the duration of the processing. Such consent may be
freely recalled. The provision of electronic communication services by the CSP must not depend on the subscriber’s
consent to the processing of his/her traffic data for other purposes ( marketing purposes).eg,
Location data
Location data may only be processed for the provision of value added services, only if such data are anonymized or with the
subscriber’s / user’s express consent, to the extent and for the duration for which such processing is absolutely necessary. The
CSP must previously notify the user or the subscriber of the categories of location data that are being processed, the purposes
and the duration of the processing as well as of the third parties to which the data will be transmitted for value added services
provision. The subscriber’s / user’s consent may be freely recalled and the ‘opt-out’ possibility must be provided to the subscriber
by the CSP free of charge and with simple means, every time he is connected to the network or in each transmission of
communication.
Location data processing is allowed exceptionally without the subscriber’s / user’s prior consent to authorities dealing with
emergencies, such as prosecution authorities, first aid or fire-brigade authorities, when the location of the caller is necessary for
serving such emergency purposes.
Cookie compliance
The use and storage of cookies and similar technologies is allowed when the subscriber / user has provided his express consent,
after his / her comprehensive and detailed notification by the CSP. The subscriber’s consent may be provided through the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 440 | | | www.dlapiperdataprotection.com
necessary browser adjustments or through the use of other applications.
The latter do not prevent the technical storage or use of cookies for purposes relating exclusively to the transmission of a
communication through an electronic communications network or the provision of an information society service for which the
subscriber or the user has specifically requested. The Data Protection Authority is the competent authority for the issuance of an
Act, which will regulate the ways such services will be provided and the subscribers’ consent will be declared.
Articles 4 and 6 of Greek Law 3471/2006 regulate collection of location and traffic data by CSPs and the use of cookies
and similar technologies.
Traffic data
Traffic data held by a CSP must be in principle erased or anonymized upon termination of the communication to which
they refer. The aforementioned rule does not apply with regard to traffic data retained for billing, marketing and law
enforcement purposes.
Location data
Location data may only be processed for the provision of value added services, only if they are anonymized or upon
subscriber’s / user’s express consent, unless processing and disclosure of such data to public authorities is necessary in
case of emergency.
Cookies compliance
Rules on use of cookies and similar technologies are set forth in the HDPA Guidance Note on “the use of cookies and
other tracking technologies”. The use and storage of cookies and similar technologies is allowed when the subscriber /
user has provided his express consent. The subscriber’s consent may be provided by means of cookie pop-up or banners
and shall meet GDPR consent requirements.
Use of cookies for purposes relating exclusively to the transmission of a communication through an electronic
communications network or the provision of an information society service for which the subscriber or the user has
specifically requested, are exempted from aforementioned requirement.
KEY CONTACTS
Kyriakides Georgopoulos Law Firm
www.kglawfirm.gr
Irene C. Kyriakides
Partner
Kyriakides Georgopoulos Law Firm
i.kyriakides@kglawfirm.gr
Elina N. Georgili
Partner
Kyriakides Georgopoulos Law Firm
e.georgili@kglawfirm.gr
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Greece 441 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guatemala 442 | | | www.dlapiperdataprotection.com
GUATEMALA
Last modified 21 December 2021
LAW
Guatemala does not have a personal data protection law, however the Law on Access to Public Information (Ley de Acceso a la
– Decree 57-2008 of the Congress of the Republic), even if it pertains to information in public files and records,Información Pública
does address the matter in certain provisions which can be applicable to private parties.
DEFINITIONS
Definition of Personal Data
Article 9, number 1 of the Law on Access to Public Information defines Personal Data as “relative to any information pertaining to
natural persons identified or identifiable.”
Definition of Sensitive Personal Data
Article 9, number 2 of the Law on Access to Public Information defines Sensitive Personal Data as “such personal data referring to
physical or moral characteristic of the persons or to facts or circumstances of its private life or activity, such as personal habits, racial origins,
ethnic origin, ideology or political opinions, religious beliefs or convictions, physical or psychologic health status, sexual preference or sex life,
moral and familiar situation or other intimate matters similar in nature.”
NATIONAL DATA PROTECTION AUTHORITY
According to Art. 46 of the Law on Access to Public Information the competence as National Data Protection Authority is the
Ombudsman (Procurador de los Derechos Humanos).
REGISTRATION
Registration of Personal Data is not regulated, yet if personal data of an individual is gathered by any public office or obliged
subject, even private parties (under the premise that they receive public funds or grants from the State of Guatemala), Article 30
of the Law on Access to Public Information grants the right to Habeas Data.
DATA PROTECTION OFFICERS
Public offices and private parties defined in Art. 6 of the Law on Access to Public Information must implement Public Information
Units, pursuant to Art. 19 of the law.
COLLECTION & PROCESSING
Collection and Processing of personal data is not regulated, however Art. 33 of the Law on Access to Public Information refers
files and information systems and Art. 39 refers to electronic or digital records. According to Art. 36 of the Law, all information
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guatemala 443 | | | www.dlapiperdataprotection.com
in public records must be safeguarded and should not be destroyed. Art. 32 of the Law prohibits the creation of data banks or
files containing sensitive data and sensitive personal data, unless such information is for the service and attention of the public
institution creating the data bank.
TRANSFER
Transfer of Personal Data is not regulated, however, Art. 31 of the Law on Access to Public Information establishes that written
consent is necessary for any type of information transfer and bans expressly the commercialisation of sensitive data and sensitive
personal data.
SECURITY
Security is not regulated. However, as referred above, according to Art. 36 of the Law, all information in public records must be
safeguarded and should not be destroyed.
BREACH NOTIFICATION
Breach Notification is not regulated, however, Art. 17 of the Law on Access to Public Information stipulates that the person
consulting public information must give notice to the relevant authority of the destruction or misuse of public information.
Mandatory breach notification
Mandatory Breach Notification is not regulated.
ENFORCEMENT
According to Arts. 61, 62 and 63 of the Law on Access to Public Information, enforcement corresponds to the Superior
Authorities of the relevant public offices and in the event the infraction entails criminal responsibility it corresponds to the
Prosecutor General’s Office. Arts. 64 to 67 of the Law specifically create criminal figures related to the abuse and misuse of
information contained in public records, including Personal Data.
Specifically, Art. 64 of the Law establishes a prohibition to private parties to commercialise personal data without consent.
Violation to this provision results in jail from 5 – 8 years and a fine ranging from Q.50,000.00 to Q.100,000.00 and the confiscation
of any element employed to execute the crime.
ELECTRONIC MARKETING
According to the Law of Acknowledgment of Electronic Communications and Signatures, Decree 47-2008 of the Congress of the
Republic, electronic marketing is not considered E-Commerce, yet it is considered a communication and an electronic
communication as it contains an exposition, statement, claim, advice, request, or offer and the acceptance of an offer, in relation to
the construing or execution of a contract.
If any such communication is not addressed to a particular person but it is a general communication, according to Art. 25 of the
aforementioned law, it shall be deemed an offer.
Protection to the consumer in E-Commerce and E-Marketing or E-Advertisement is addressed in Art. 51 of the aforementioned
law, compelling the originators of such communications to act in an equitable manner and to fully comply with the offered matters
and not to engage into false, deceitful, fraudulent or disloyal business practices.
ONLINE PRIVACY
Online privacy is not regulated.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guatemala 444 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Central Law
central-law.com/portfolio/central-law-guatemala/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Carlos Cabrera
Associate
Central Law
T +502 23836000
ccabrera@central-law.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 445 | | | www.dlapiperdataprotection.com
GUERNSEY
Last modified 5 January 2021
LAW
The Data Protection (Bailiwick of Guernsey) Law, 2017 (” “) came into force on 25 May 2018 to coincide with theDPL 2017
enforcement of the EU’s General Data Protection Regulation (EU) 2016/670 (” “). GDPR
Adequacy
The DPL 2017 replaced Guernsey’s first set of data protection legislation that was introduced in 2001 in the form of the Data
Protection (Bailiwick of Guernsey) Law, 2001, as amended (” “). The DPL 2001 had been implemented in response toDPL 2001
the EU Directive 95/46/EC. Whereas the DPL 2001 was modelled on a UK enactment, the DPL 2017 is stated to be ‘equivalent’ to
the GDPR.
In 2003 Guernsey was recognised by the European Commission as providing an adequate level of protection for the free flow of
personal data to the Bailiwick (see Opinion 02072/07/EN WP 141 and Opinion 10595/03/EN WP 79). Following the enforcement
of the GDPR from 25 May 2018, the adequacy decision remains valid and effective in respect of Guernsey’s revised data protection
regime under the DPL 2017. The adequacy decision is currently being reassessed by the European Commission (as per Article
45(9) GDPR) and confirmation of the outcome of such reassessment is expected during 2021.
Scope and applicability
The DPL 2017 applies in relation to the processing of personal data where:
the processing is by automated means (whether wholly or partly) if, the processing is not by automated means, it isOR
intended to form part of a filing system; and
the processing is conducted by a controller or processor established in the Bailiwick of Guernsey (” “) theBailiwick OR
personal data is that of a Bailiwick resident and is processed in the context of the offering good or services (whether or
not for payment) to the resident or the monitoring of the resident’s behaviour in the Bailiwick. The term “established in
the Bailiwick” is defined under the DPL 2017.
In practice, this means that there may be instances where controllers and processors established in the Bailiwick are subject to
both the DPL 2017 and, where they process personal data of data subjects who are in the EU, the GDPR.
A domestic exception is available where the processing is for the purpose of an individual’s personal, family or household affairs.
As from 25 May 2019, the initial period of transitional relief granted to controllers and processors in Guernsey came to an end.
All controllers and processors must therefore comply with all aspects of the DPL 2017 (including the duty to notify pre-collected
data, carry out privacy impact assessments, comply with statutory obligations in relation to processor and joint controller-led
duties and renew consents collected prior to 25 May 2018).
There is also a requirement (in certain instances) for controllers not ‘established in the Bailiwick’ to designate and authorise a
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 446 | | | www.dlapiperdataprotection.com
representative in the Bailiwick.
DEFINITIONS
Definition of personal data
Section 111(1) of the DPL 2017 defines personal data as ” “. any information relating to an identified or identifiable individual
An ‘identifiable individual’ is given special meaning under Schedule 9 of the DPL 2017 and is defined as an individual who can be
directly or indirectly identified from the information including:
by reference to a name or an identifier;
one or more factors specific to the person’s physical, physiological, genetic, mental, economic, cultural or social identity;
where, despite pseudonymisation, that information is capable of being attributed to that individual by the use of additional
information; or
by any other means reasonably likely to be used, taking into account objective factors such as technological factors and the
cost and amount of time required for identification in the light of the available technology at the time of processing.
Definition of special category data
‘Special category data’ means personal data consisting of information as to a data subject’s:
racial or ethnic origin
political opinions
religious or philosophical beliefs
trade union membership
genetic data, meaning personal data relating to the inherited or acquired genetic characteristics of an individual which gives
unique information about their physiology or their health, including as a result of an analysis of a biological sample from
that individual
biometric data, meaning personal data resulting from the specific technical processing relating to the physical, physiological
or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as
facial images or dactyloscopic data
health data, which includes any personal data relating to the health of an individual, including the provision of health care
services, which reveals their health status and includes information about their physical or mental health
sex life or sexual orientation
criminal data which relates to the commission or alleged commission by an individual of any offence, or any proceedings
for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of
any court in such proceedings.
NATIONAL DATA PROTECTION AUTHORITY
Overall oversight of the implementation of the DPL 2017 is vested in the Data Protection Authority (” “). The AuthorityAuthority
delegates many of the day-to-day regulatory functions and provides governance to an independent operational body known as the
Office of the Data Protection Authority (” “) (formerly, the Office of the Data Protection Commissioner).ODPA
The Authority and the ODPA are also required, pursuant to The Data Protection (International Cooperation and Assistance)
(Bailiwick of Guernsey) Regulations, 2018 to have regard to Articles 60 – 62 GDPR by providing mutual cooperation with other
supervisory authorities relating to both the GDPR and the DPL 2017.
The office of the data protection authority
St Martin’s House
Le Bordage
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 447 | | | www.dlapiperdataprotection.com
St. Peter Port
Guernsey
GY1 1BR
Telephone
+44 (0) 1481 742074
enquiries@odpa.gg
Website
odpa.gg
REGISTRATION
Section 39 of the DPL 2017 prohibits all controllers processors established in the Bailiwick from processing personal dataand
unless they have registered with the ODPA. Failure to comply with section 39 of the DPL 2017 is a criminal offence.
The Authority may prescribe the form and manner of registration. These particulars are described in the Data Protection
(General Provisions) (Bailiwick of Guernsey) (Amendment No.2) Regulations, 2020 (the )) which set “Registration Regulations”
out the framework for a new registration and levy collection regime applicable from 1 January 2021. The new regime abolishes the
previous set of exemptions from registration (which expired on 31 December 2020) and replace them with a much narrower
sub-set of exemptions.
The Registration Regulations also introduce the concept of a ‘Levy Collection Agent’, which is, in essence, a regulated entity
licensed by the Guernsey Financial Services Commission (GFSC) who has been appointed to collect an entity’s registration fees on
its behalf.
Importantly, whilst a Levy Collection Agent has certain responsibilities under the Registration Regulations (which include
submitting an annual return, preparing and issuing certificates of exemption to all relevant entities which it administers and
retaining records on such entities for a period of 6 years), the ODPA has clarified in its guidance that “all the legal responsibility as
well as liability for data protection compliance still rests with [the controller/processor]…[and in this regard Levy Collection Agents] are simply
… a payment gateway to assist with the administrative requirements for the regulated community.”
Exemptions
Certain limited exemptions to the requirement to register are available to some controllers and processors under the
Registration Regulations. These include, for example, where the controller and/or processor has appointed a Levy Collection
Agent on its behalf. Not all entities will be eligible to appoint a Levy Collection – this route is only available to organisations who
employ fewer than 50 FTE employees, are not required by law to appoint a DPO, do not already act as a Levy Collection Agent
and are not nonprofits.
If a controller or processor seeks to rely on any one exemption, they must document their rationale for their decision.
Registration particulars
Since the introduction of the DPL 2017, the ODPA has streamlined the registration regime, both from an outward-facing and
internal perspective. For example, in accordance with the GDPR’s approach, the register is no longer available to be searched
online, thereby removing the requirement for the ODPA to maintain a public register containing significant volumes of processing
details. The ODPA has also removed the requirement for controllers and processors to include details about the types of
processing undertaken and no longer requires entities to provide a description of the categories of data subject or details of the
countries to which such data is transferred.
https://www.dlapiperdataprotection.com
https://odpa.gg
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 448 | | | www.dlapiperdataprotection.com
Instead, at the time of writing, a controller or processor established in the Bailiwick who is required to register with the ODPA
must give the ODPA an online annual return setting out the following information (as stipulated in the Registration Regulations):
the contact details (including name and principal business address) of the entity to be registered
confirmation of whether the entity is a controller, processor or both in relation to the processing activities
the representative appointed (if the entity is based outside the Bailiwick)1
confirmation of whether the entity is a charity / not-for-profit
the DPO (as applicable)
confirmation of whether the entity employs 50 or more full time equivalent employees
confirmation of whether the entity has agreed to act as Levy Collection Agent
The return must also be accompanied by a levy, which will be calculated depending on the status of the organisation (i.e. if it is a
charity/not for profit) and the number of full-time equivalent employees employed by the entity.
Levy Collection Agents are required to submit a slightly different set of information to the ODPA, as follows:
the contact details (including name, principal business address and GFSC number) of Levy Collection Agent
confirmation of whether the entity is a controller, processor or both in relation to the processing activities
the DPO (as applicable)
confirmation of whether the entity employs 50 or more full time equivalent employees
Declaration of the number of organisations the Levy Collection Agent is acting for.
The return must also be accompanied by a levy (being the aggregate of its own fees plus those of the entities that it administers).
There are two levels of fees:
For organisations with 1-49 full-time equivalent (FTE) employees – £50 per annum; or
For organisations with 50 or more FTE employees – £2,000 per annum.
The Registration Regulations stipulate separate levies are applicable when dealing with certain government bodies.
1. Section 38 of the DPL 2017
DATA PROTECTION OFFICERS
A data protection officer ( ) must be appointed where:”DPO”
processing is carried out by a public authority (other than a court, or tribunal acting in a judicial capacity); or
the core processing operations of the controller or processor require or involve “large-scale and systematic monitoring of
” or ” “.data subjects large-scale processing of special category of data
The ODPA has issued guidance clarifying what is intended by the use of the term ” “, noting that this term islarge-scale processing
not defined in either the GDPR or the DPL 2017.
The ODPA’s guidance references the guidance on the appointment of DPOs (” “) issued by the EU’s formerDPO Guidelines
advisory body (previously known as the Article 29 Working Party and now replaced by the European Data Protection Board (”
“)). The ODPA advises controllers and processors to take into account the terms of both the GDPR and the DPOEDPB
Guidelines when assessing whether or not a DPO is required to be appointed. It also clarifies that small businesses in Guernsey
are, as a general rule, unlikely to be undertaking large-scale processing unless they work with large databases of customers or
other types of data subjects. Finally, the ODPA expects controllers and processors to review the scope and nature of processing
periodically to ascertain whether or not their prior assessment remains valid or if there are sufficient factors to warrant appointing
a DPO. All controllers and processors should document their decision-making and the outcome of such reviews.
COLLECTION & PROCESSING
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 449 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
Principles
Data controllers must comply with the data protection principles set out under Section 6(2) DPL 2017 (” “). Principles
The Principles comprise:
Lawfulness, fairness and transparency: personal data must be processed lawfully, fairly and in a transparent manner in
relation to the data
Purpose limitation: personal data must be collected for specified, explicit and legitimate purposes and, once collected,
not further processed in a manner incompatible with those purposes
Data minimisation: personal data must be adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed
Accuracy: personal data must be accurate and, where necessary, kept up to date, with reasonable steps being taken to
ensure that personal data which is inaccurate, having regard to the purposes for which it is processed, is erased or
rectified without delay
Storage limitation: personal data must be kept in a form that permits identification of data subjects for no longer than
is necessary for the purposes for which the data are processed
Integrity and confidentiality: personal data must be processed in a manner that ensures appropriate security of the
data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage,
using appropriate technical or organisational measures
Accountability: the controller is responsible for, and must be able to demonstrate compliance with, the data protection
principles described under paragraphs (a) – (f) above.
Lawful basis
Data controllers are required to ensure that they have a lawful basis for processing personal data. The DPL 2017 sets out a
number of conditions which may be relied upon to legitimise the processing of personal data and special category data.
The most common conditions for controllers to rely on are that:
the data subject consents to the processing
the processing is necessary for the performance of a contract to which the data subject is a party or between a controller
and a third party in the interests of a data subject, or is in order to take steps at the data subject’s request with a view to
entering into a contract
the processing is necessary for the controller to exercise any right or power, or perform or comply with a duty imposed
on it by law, otherwise than an obligation imposed by an enactment, an order, or a judgment of a court or tribunal having
the force of the law in the Bailiwick
the processing is necessary in order to protect the vital interests of the data subject
the processing is necessary for legitimate interests of the controller or third party except where the processing is
exercised by a public authority
the processing is necessary for the exercise or performance by a public authority of a function that is of a public nature or
a task carried out in the public interest.
It is interesting to note that processing in the public interest is only available to public authorities whereas the equivalent provision
in the GDPR is much broader than this.
In addition to these conditions, controllers may also rely on one or more of a restrictive set of conditions in order legitimise
either personal data or special category data. These include (but are not limited to):
the data subject providing consent to the processingexplicit
processing which is necessary for compliance with a legal right or power or duty imposed on a controller by an enactment
processing which is made public as a result of steps deliberately taken by the data subject
processing which is necessary for the purpose of or in connection with legal proceedings, the discharge of any functions of
a court or tribunal, obtaining legal advice or establishing, exercising or defending legal rights
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 450 | | | www.dlapiperdataprotection.com
processing which is for the administration of justice of the exercise of any function of the Crown, the States of Guernsey
or a public committee
processing which is necessary for a historical or scientific purpose
processing is necessary for the vital interests of a data subject.
Additional bases
In addition to the above, further secondary legislation has been adopted which sets out a number of additional lawful bases which
are intended to be applied in limited circumstances.
These bases include (but are not limited to):
the processing of health or criminal data for insurance business purposes
special category data which is required in order to perform or comply with a duty conferred by law on a controller in
connection with employment
special category data for the prevention, detection or investigation of an unlawful act.
The additional bases will need to be considered on a case-by-case basis and may not always be straightforward to apply. If there
were concerns regarding the legitimacy of such processing, we would recommend that you seek Guernsey law advice.
Consent
For the purposes of Section 10 DPL 2017, where a controller seeks to rely on consent, the controller must comply with more
stringent requirements than under the DPL 2001 in order to ensure that such consent is valid.
‘Valid’ consent involves (amongst other characteristics) a “specific, informed and unambiguous indication of the data subject’s wishes by
“. In thiswhich a data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of their personal data
regard, the DPL 2017 sets the same high standards for consent as the GDPR.
Furthermore, the ODPA guidance confirms that, in addition to the ingredients required to achieve valid consent, explicit consent
must be expressly confirmed in words, rather than a positive action. These requirements are summarised in a checklist for
controllers setting out what controllers need to do when relying on consent.
Finally in relation to consent, Section 10(2)(f) DPL 2017 stipulates that a child may only provide their own consent to processing
in respect of the information society (primarily, online) services, where that child is over 13 years of age. Otherwise, a parent (or
other responsible adult) must give it on their behalf.
Transparency
Requirements of transparency under the DPL 2017 closely align with the GDPR. Therefore, the DPL 2017 requires that certain
specified information must be supplied as part of a ‘fair processing notice’ (Schedule 3 DPL 2017), namely:
the identity and contact details of the controller, and (where applicable), the controller’s representative
the contact details of the data protection officer (if any)
confirmation of whether any of the personal data is special category data
where the personal data is not obtained directly from the data subject: confirmation of the source of the personal data
and (if applicable) confirmation of whether the personal data was obtained from a publicly available source and, if so,
confirmation of that source
the purposes for which the data is intended to be processed and the legal basis for the processing
an explanation of the legitimate interests pursued by the controller or by a third party, if the processing is based on those
interests
the recipients or categories of recipients of the personal data (if any)
where applicable, the fact that the controller intends to transfer personal data to a third country or international
organisation and whether or not there is an adequate level of protection for the rights and freedoms of data subjects
the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 451 | | | www.dlapiperdataprotection.com
information concerning the rights of data subjects
where the processing is based on consent, the existence of the right to withdraw consent
a statement of the right to complain to the Authority
the existence of any automated decision-making, meaningful information about the logic involved in such decision-making
and the significance of any such decision making for the data subject
any further information that is necessary, having regard to the specific circumstances in which the data is or is to be
processed, to enable the processing in respect of the data subject to be fair.
Rights of the data subject
The DPL 2017 has strengthened the rights of data subjects in line with the GDPR (Part III DPL 2017).
Controllers must respond to a request ” ” and in any event within one month following:as soon as practicable
the day on which the controller has received the request,
the day on which the controller receives the information necessary to confirm the identity of the requestor, or
the day on which a fee or charge is paid to the controller.
These provisions represent a change to the position as last stated in August 2019 by the UK ICO.
The following rights are available to data subjects:
Right to information for personal data collected about the data subject either directly or indirectly (Sections 13 – 14 DPL 2017):
Where personal data has been collected from a source other than the data subject, certain exceptions are available
Right to data portability (Section 15 DPL 2017): a data subject has the right to have certain relevant personal data (being
personal data relating to that person which has been provided to the original controller directly or via a processor)
ported to a new controller, where:
that relevant personal data is being processed based on consent; or
processing necessary for the conclusion or performance of a contract.
Where the right applies, the original controller must ensure that any personal data transmitted is provided in a structured,
commonly used and machine-readable format. The right is subject to certain exceptions set out under Section 16 DPL 2017
Right of access (Section 15 DPL 2017): a data subject is entitled to request access to and obtain a copy of his or her
personal data, together with prescribed information about how the data has been used by the controller. Section 16 DPL
2017 provides for certain exceptions, including where a request cannot be complied with without disclosing information
about another individual , balancing the rights of the requestor with significant interests of the other individual. The DPL1
2017 sets out further detail in respect of the factors which should be taken into consideration when making this
determination.
Right to object to processing (Section 17 – 19 DPL 2017): data subjects have the right to object to processing for: (a) direct
marketing purposes, (b) on public interest grounds, and (c) where the processing is for historical or scientific purposes
Whilst the right to object in respect of paragraph (a) is unconditional, the rights to object under paragraphs (b) and (c) are
qualified and subject to a public interest test
Right to rectification (Section 20 DPL 2017): a data subject has a right to request that any inaccurate or incomplete personal
data may be corrected or that a statement is provided on the controller’s file noting that the data subject disputes the
accuracy or completeness of the personal data
Right to erasure (Section 21 DPL 2017): data subjects may request erasure of their personal data. The right is not absolute; it
only arises in a relatively narrow set of circumstances, notably where the controller no longer needs the data for the
purposes for which they were collected or otherwise lawfully processed, or following the successful exercise by the data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 452 | | | www.dlapiperdataprotection.com
subject of their right to object or if the data subject withdraws their consent
Right to restriction of processing (Section 22 DPL 2017): a data subject may request that the processing of their personal data
is restricted in certain limited circumstances. Examples include: where the accuracy of the personal data is contested;
where the processing is unlawful; or, where the data is no longer required (save for legal claims or for the purposes of
obtaining legal advice or establishing / exercising or defending legal rights)
Right to notified of restriction, erasure or rectification (Section 23 DPL 2017): the controller must not only notify the data
subject concerned but, unless it is impracticable or involves disproportionate effort, notify any other person whose
personal data has been disclosed
Right not to be subject to decisions based on automated processing (Section 24 DPL 2017): a data subject has a right not to be
subjected to a decision reached through an automated process, and a controller is prohibited from causing or permitting a
data subject to be subjected to an automatic decision unless Section 24(2) DPL applies.
Section 24(2) permits automated processing where: the data subject has given their explicit consent, or the processing has
been authorised by the States of Guernsey or via an enactment; or, the automated processing is necessary for the vital
interests of the data subject or another person or for the performance of a contract.
Additional restrictions apply for the automated processing of special category data. A controller must ensure that
appropriate safeguards are in place where automated processing has been conducted in accordance with Section 24(2) DPL
(including allowing the data subject to appeal or seek a review of the decision)
Right to make a complaint to ODPA (Section 67 DPL 2017): a data subject may also complain in writing to the ODPA if they
consider that a controller or processor has breached or is likely to breach the DPL 2017 and that breach involves or
affects (or is likely to involve or affect) personal data relating to the individual or any data subject right of the individual;
and
Right to bring a civil action against a controller or processor for breach duty (Section 79 DPL 2017): where a controller or
processor breaches an operative provision under the DPL 2017 that causes damage to another person, the injured party
may bring a claim in tort against the controller or processor for breach of statutory duty. The court may award damages,
impose an injunction to restrain an actual or anticipated breach of duty and / or make a declaration that the controller or
processor has committed or will commit a breach if its current course of action subsists. Individuals may also claim
compensation for distress, inconvenience or other adverse effect suffered by an injured party even if it does not result
from any physical or financial loss or damage. Group (or ‘class’) actions may also be brought against an organisation
(Section 97 DPL 2017).
1. It is worth flagging that the DPL 2017 refers to individuals as opposed to the wider concept of ‘others’, as the equivalent
measure is set out in the GDPR. Therefore, it is unclear whether recital 63 of the GDPR would apply in a Guernsey context
where the disclosure of information might adversely affect the rights and freedoms of a person other than an individual (e.g. where
the disclosure of such information might prejudice the intellectual property rights of a company or partnership).
TRANSFER
The DPL 2017 differentiates between and .authorised jurisdictions unauthorised jurisdictions
Authorised jurisdictions include:
the Bailiwick of Guernsey
a member state of the European Union
any country, sector or international organisation which has been determined by the European Commission as providing an
‘adequate level of protection’ for the rights and freedoms of data subjects or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 453 | | | www.dlapiperdataprotection.com
any . designated jurisdiction
A includes the UK (or any country within the UK), any Crown Dependency (such as the Channel Islands ordesignated jurisdiction
Isle of Man) or any sector within the UK or a Crown Dependency.
Unauthorised jurisdictions means any countries, sectors in a country or international organisation that does not fall within the
scope of an ‘authorised jurisdiction’.
Personal data must not be transferred outside of the Bailiwick of Guernsey by a controller or processor (” “) to anExporter
unauthorised jurisdiction unless the Exporter is satisfied that:
particular ‘safeguards’ are in place and there is a mechanism for data subjects to enforce their rights and obtain effective
legal remedies against a controller or processor receiving the personal data (” “) (section 56 DPL 2017)Importer
the Authority or the ODPA has authorised the transfer (section 57 DPL 2017) or
other specified (section 59 DPL 2017)derogations exist
‘Safeguards’ for the purposes of paragraph (a) above include: legally enforceable agreements (where the Importer is a public
authority / body), binding corporate rules, EU’s Model Clauses (or equivalent provisions as may from time to time be in force) or
approved codes or other approved mechanisms which combine binding and enforceable commitments on the Importer.
‘ ‘ include:Derogations
the data subject has given explicit consent to the transfer after having been informed of the risks of the transfer
the transfer is necessary for the performance of a contract between the data subject and the controller or between the
controller and third party in the interests of the data subject or for the taking of steps at the request of the data subject
with a view to the data subject entering into a contract with the data controller
the transfer is authorised by regulations made for reasons of public interest
the transfer is necessary for, or in connection with, legal proceedings, obtaining legal advice or for the purposes of
establishing, exercising or defending legal rights
the transfer is necessary to protect the vital interests of the data subject or another individual (provided that the data
subject is physically or legally incapable of giving consent or the controller cannot be reasonably expected to obtain
explicit consent)
the transfer is part of personal data on a public register or a register to which a member of the public has lawful access
a decision of a public authority (within or without the Bailiwick) based on international agreement imposing international
obligations on the Bailiwick or an order of a court or tribunal
the transfer is in the legitimate interests of the controller which outweighs the significant interests of the data subject and:
the transfer is not repetitive
the transfer only concerns a limited number of data subjects
the controller has assessed all circumstances surrounding the data transfer and on the basis of that assessment
considers that appropriate safeguards to protect personal data have been provided.
Where the transfer is justified on the legitimate interests grounds described above, both the ODPA and the data subject must be
notified accordingly.
Transfers post Schrems II
The burden on Guernsey-established controllers and processors of transferring personal data to unauthorised jurisdictions has
increased following the CJEU’s Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems and
( ).intervening parties “Schrems II”
Not only has the ODPA confirmed that transfers in reliance of the EU-US Privacy Shield framework are no longer valid but that,
following Schrems II, where standard contractual clauses ( ) are used, controllers must ensure that they have”SCCs”
“comprehensively review[ed]” the data transfer to ensure that “appropriate safeguards are in place”. However, the guidance does
not provide any assistance as to what steps need to be taken in order to ensure that the chosen safeguards are appropriate.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 454 | | | www.dlapiperdataprotection.com
These steps has since been clarified by the European Data Protection Board ( ) which published its draft”EDPB”
Recommendations 01/2020 in November 2020 on measures that supplement transfer tools to ensure compliance with the EU
level of protection of personal data. At the time of writing, these Recommendations were still in draft, but provide a key indication
as to the EDPB’s direction of travel. The emphasis is now on controllers to satisfy themselves that the transfers to unauthorised
jurisdictions are properly assessed (taking into account the law and practice of the recipient jurisdiction) and, as appropriate,
subject to supplementary measures. The EDPB are also currently consulting on a new set of SCCs which are expected to be
approved in the first part of 2021.
Whilst the status of the CJEU jurisprudence is unclear in Guernsey, as the Bailiwick of Guernsey is not a Member State, it is likely
to be persuasive (particularly in light of section 1(a) of the DPL 2017, which sets out a statement that the Data Protection Law be
‘equivalent’ to the GDPR).
Guernsey – UK Transfers – Brexit
Transfers of personal data from the Bailiwick to the UK are authorised by the States of Guernsey pursuant to the Data Protection
(Authorised Jurisdiction) (Bailiwick of Guernsey) Ordinance, 2020 until 31 December 2021. It is anticipated that this will provide
time for the EU to finalise its assessment of the UK’s laws and practices from an adequacy perspective.
SECURITY
Security features more prominently under the DPL 2017 than its predecessor. Whilst implementing appropriate security measures
to safeguard personal data from unauthorised or unlawful processing continues to be a feature of the DPL 2017 (see Principle 6
‘Integrity and Confidentiality’), the DPL 2017 (unlike its predecessor) sets out with more clarity the steps required to ensure
compliance.
Data controllers must take reasonable steps to ensure a level of security which is appropriate to the personal data, taking into
account the nature, scope, context and purpose of the processing, the likelihood and severity of the risks to data subjects if the
personal data is not secure (including the risk of unlawful or accidental destruction, loss or alteration and / or unauthorised
disclosure of personal data), best practice and the costs of implementing appropriate measures.
Section 41 of the DPL 2017 provides some assistance as to what may be regarded as a reasonable ‘step’ to ensure appropriate
security. In essence, to ensure compliance with this obligation, a controller should consider:
pseudonymising and encrypting personal data
ensuring that the controller or processor has and retains the ability to:
ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and
restore access to personal data in a timely manner in the event of a physical or technical incident; and
establishing and implementing a process for regular testing and evaluation of the effectiveness of the technical and
organisational measures.
There are several provisions which touch on the security obligations, located throughout the DPL 2017. Thus, the key provisions
not only appear in the main security section (Part VI of the DPL 2017) but also form a key consideration (amongst other things)
when undertaking a data protection impact assessment, the right to erasure, a controller’s duty to take reasonable steps to
achieve compliance and the measures that should be in place when choosing a processor. For example, when assessing the
suitability of a processor a controller must ensure that the processor provides sufficient guarantees that reasonable technical and
organisational security measures governing the processing will be established to meet the requirements of the DPL 2017.
BREACH NOTIFICATION
What is a breach?
The DPL 2017 defines a ‘personal data breach’ as a “breach of security leading to the (a) accidental or unlawful destruction, loss, or
“. alteration of; or, (b) unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed
This definition replicates the definition set out in Article 4 of the GDPR.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 455 | | | www.dlapiperdataprotection.com
Notice to ODPA
As with the GDPR, the DPL 2017 requires all controllers, upon becoming aware of a personal data breach to provide written
notice to the ODPA as soon as practicable and no later than after becoming so aware. Section 42(5) of the DPL 201772 hours
provides an exemption from the duty to notify the ODPA where the personal data breach is “unlikely to result in any risk to the
“.significant interests of the data subject
In determining whether or not there is a risk, the ODPA’s guidance entitled ‘ ‘ (“Notification of Personal Data Breaches Breach
“) advises organisations who process personal data to consider the type of personal data they hold and whether anyGuidance
breach could, both at the time of the breach and in the future, ‘adversely affect an individual’ taking into consideration the potential
for financial loss, reputational damage, or identity fraud.
The DPL 2017 stipulates the sort of information which must be provided to the ODPA in the event of such a breach including a
description of the nature of the personal data breach, contact details of the DPO or contact point, a description of the likely
consequences of the breach, a description of the measures taken or proposed to be taken to address risks and mitigate against
possible adverse effects and an explanation of any delays (where a breach has been notified after 72 hours).
All breaches which must be notified to the ODPA can be submitted to the ODPA via their online secure breach reporting facility.
In any case, whether a personal data breach is notified to the ODPA or not, the controller must keep a written record of each
personal data breach of which the controller is aware, including the facts relating to the breach, the effects, the remedial action
taken and any steps taken by the controller to comply with its notification obligations (including a copy of the notice provided to
the ODPA).
Notice to data subjects
Where a controller becomes aware of a personal data breach that is likely to pose a “high risk to the significant interests of a data
“, the controller must give the data subject written notice of the breach as soon as possible.subject
The Breach Guidance provides a non-exhaustive of factors for controllers to take into account when determining whether a
breach poses a ‘high risk’. Whilst financial loss, reputational damage and identity fraud must be considered, the Breach Guidance
also includes the risk of whether the breach might have an adverse impact of safety or wellbeing of the data subject (including
psychological distress or humiliation). When assessing the risks, the ODPA expects all controllers to consider the nature, scope,
context and purpose of the compromised personal data, including whether special category data had been compromised.
Any notice given to an affected data subject must include a description of the nature of the breach, the name and contact details of
the DPO or point of contact, a description of the likely consequences of the breach, and a description of the measures taken or
proposed to be taken by the controller to address the breach.
A controller is exempt from the requirement to notify a data subject where it has:
established and carried out appropriate technical and organisational measures to protect personal data and, in particular,
those measures have rendered personal data unintelligible to any person who is not authorised to access it (e.g.
encryption); or
taken subsequent measures to mitigate the risk, such that the ‘high risk’ is no longer likely to materialise, or where the
performance of the duty would involve ‘disproportionate effort’.
Whilst the Breach Guidance does not define what will amount to ‘disproportionate effort to notify’, it clarifies that a controller
must nonetheless publish a notice (without making public any personal data) or take any other step equivalent to publication in
order to inform the data subjects in an equally effective manner.
Notice to controller (where a processor is engaged)
The responsibility for reporting a personal data breach to the ODPA rests with the controller. However, where a processor
becomes aware of a personal data breach, the processor must give the controller notice as soon as practicable. Where notice is
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 456 | | | www.dlapiperdataprotection.com
given orally, written notice must follow at the first available opportunity.
Other regulatory notification requirements
Guernsey’s European Communities (Implementation of Privacy Directive) (Guernsey) Ordinance 2004 (as amended) (“e-Privacy
“) requires a provider of a public electronic communications service (the ‘ ‘) to notify subscribers ofOrdinance service provider
a significant risk to the security of the service.
ENFORCEMENT
The Authority and the ODPA are responsible for administering and enforcing the DPL 2017 (Section 61(1)(a) DPL 2017).
When investigating a complaint regarding a potential breach of the DPL 2017, the Authority has wide powers to require
information and, with appropriate warrants, powers to enter premises and search them (Schedule 7 DPL 2017). It may also
conduct and / or require an audit of a controller or processor.
Before making a breach determination or an enforcement order, the ODPA may give the person concerned a written notice of
the ODPA’s proposals and allow the person time (up to 28 days) to make representations. However, the ODPA may dispense
with this requirement if the determination or order needs to be made immediately or without notice in the interests of the data
subjects or where the ODPA has reasonable grounds for suspecting that data may be tampered with or that to do so might
seriously prejudice any other investigation etc. There is a right to appeal the decision of the ODPA under section 84 DPL 2017.
Following a breach determination, the ODPA may take the following enforcement action:
Reprimand
The DPL 2017 does not specify the conditions upon which a reprimand may be issued. However, it will most likely take the form
of a notice issued in combination with an administrative fine or a formal undertaking by the controller or processor to meet future
compliance with any part of the DPL 2018.
Warning
A warning may be given where the ODPA determines that any proposed processing or other act or omission is likely to be a
breach of the DPL.
Order
This refers to a formal notice of enforcement and can consist of an order to do any or all of the following:
bring specified processing operations into compliance with an operative provision of the DPL 2017, or take any other
specified action required to comply with said provision, in a manner and within a period specified in the order
notify a data subject of any personal data breach
comply with a request made by the data subject to exercise a data subject right
rectify or erase personal data
restrict or limit the recipient’s processing operations (which may include restricting or ceasing the processing operation
or suspending any transfers to an unauthorised jurisdiction)
notify persons to whom the personal data has been disclosed of the rectification, erasure or temporary restriction on
processing
Administrative fines
Whilst the GDPR has the potential to attract administrative fines of up to 4% of annual worldwide turnover or EUR 20 million
(whichever is higher), the administrative fines under the DPL 2017 are generally lower (between £5,000,000 – £10,000,000) and
can be broadly categorised on four levels.
Level 1
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 457 | | | www.dlapiperdataprotection.com
a.
b.
c.
Administrative fines issued against a controller or processor may not exceed £5,000,000 for breaches of section 74(1)(a) – (d)
DPL 2017, comprising the following:
failure to make reasonable efforts to verify that a person who has given consent to the processing of a child’s personal
data (being a child who is under 13 years’ old) in the context of offering information society services directly to that child,
is duly authorised to give consent to that processing under Section 10(2)(f) DPL 2017
failure to take reasonable steps to inform the data subject of anonymisation (in breach of Section 11(1)(b) DPL 2017)
any breach of the general duties of controllers and processors (except section 31 DPL 2017 – duty to take reasonable
steps for compliance) (breach of Part IV DPL 2017)
any breach of a controller’s administrative duties including the requirement to designate a representative in the Bailiwick
in certain cases and the requirement to register and pay fees to the ODPA (as per Part V DPL 2017)
a breach of the security provisions contained in Part VI DPL 2017
failure to comply with the requirements in respect of data protection impact assessments and prior consultation (except
section 46 DPL 2017 – prior consultation required for high-risk legislation) in accordance with Part VII DPL 2017
failure to comply with requirements to designate a DPO (where required) or ancillary duties relating to the DPO’s
functions in accordance with breach of Part VIII of the DPL 2017.
Level 2
Administrative fines issued against a controller or processor may not exceed £10,000,000 for breaches of section 74(1) DPL 2017,
comprising the following (in addition to the Level 1 list above):
breach of any duty imposed on the person concerned by section 6(1) (data protection principles) including lawfulness of
processing
breach of any duty imposed on the person concerned under Part III DPL 2017 (data subject rights)
failure to comply with an order by the Authority under section 73(2) DPL 2017 within the time specified in the order
transfer of personal data to a person in an unauthorised jurisdiction in breach of section 55 DPL 2017 (general prohibition
of transfers of personal data outside of the Bailiwick to unauthorised jurisdictions)
breach of any provision of any ordinance or regulations made pursuant to the DPL 2017 which imposes a duty on a
controller or processor.
Level 3
In addition to the two administrative fines described above, the DPL 2017 imposes a ‘cap’ on administrative fines of up to
£300,000 (unless the fine is less than 10% of the person’s total annual global turnover or total global gross income in the preceding
financial year).
Level 4
An administrative fine issued against a person must not exceed 10% of the total global annual turnover or total global gross
income of that person during the period of the breach in question, for up to 3 years.
Enforcement activity has increased since the implementation of the DPL 2017 and more specifically during the last 12 months. To
date, we are aware that two Guernsey controllers have been subject to administrative fine orders for the sum of £80,000 and
£10,000 respectively. We are also aware that the ODPA has issued both public and private reprimands on controllers (the
severity of which depends on the seriousness of the breach).
Offences / criminal proceedings
In addition to the above, the DPL 2017 imposes criminal sanctions on persons who are found guilty of certain specified offences.
Such offences include:
unlawful obtaining or disclosure of personal data
obstruction or provision of false, deceptive or misleading information
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 458 | | | www.dlapiperdataprotection.com
c.
d.
impersonation of an Authority official, and
(unless an exception applies) breach of confidentiality by a designated official without the consent of the individual.
Regarding the offence under paragraph (d) above, a ‘designated official’ shall include a member of the Authority including the
Commissioner and any DPO.
Criminal liability can attach to any director or other officer of the organisation including a body corporate, general partner of a
limited partnership, foundation official etc. Criminal proceedings may also be instigated against an unincorporated entity in the case
of a general partnership, or a committee etc.
ELECTRONIC MARKETING
Direct marketing by electronic means to individuals and organisations is regulated by the European Communities (Implementation
of Privacy) Directive (Guernsey) Ordinance 2004 (” “). e-Privacy Ordinance
Following the implementation of the DPL 2017, minor and consequential changes were made to the e-Privacy Ordinance, which is
intended to sit alongside the DPL 2017.
In this regard, neither the e-Privacy Ordinance nor the DPL 2017 prohibit the use of personal data for the purposes of electronic
marketing provided that individuals have the right to prevent the processing of their personal data (i.e. a right to ‘opt out’) for
direct marketing purposes.
As such, the e-Privacy Ordinance still reflects the e-Privacy Directive and, for example, prohibits the use of automated calling
systems without the consent of the recipient. Furthermore, unsolicited emails can only be sent without consent if:
the contact details have been provided in the course of a sale or negotiations for a sale
the marketing relates to a similar product or service, and
the recipient was given a simple method of refusing the use of their contact details when they were collected.
The identity of the sender cannot be concealed in direct marketing communications sent electronically (which is likely to include
SMS marketing).
These restrictions only apply in respect of individuals and not where corporations are sent marketing communications.
ONLINE PRIVACY
The 2011 amendments to the Privacy and Electronic Communications Regulations 2003 by the UK in relation to cookies did not
find their way into Guernsey law and there are no immediate plans for this to be done. However, certain aspects of online privacy
nevertheless remain governed by the e-Privacy Ordinance (defined under above).Electronic Marketing
As a matter of good practice:
the use of cookies should be identified to web users
cookies should be accompanied with a description of what the cookies are doing and why they are being used
consent should be obtained (at least initially) from the web user where the website intends to store a cookie on their
device.
Consent in this context must be freely given, specific, informed and an unambiguous positive action (although it does not need to
be explicit).
Traffic data held by a service provider must be erased or anonymised when it is no longer necessary for the purpose of a
transmission or communication and only used for permitted purposes. It must also be accompanied by information as to the
nature of the processing. Exceptions include if the information is being retained in order to provide a value added service to the
data subject or if it is held with their consent.
Traffic data should only be processed by a service provider for (a) the management of billing or traffic, (b) customer enquiries, (c)
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/guernsey/electronic-marketing.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guernsey 459 | | | www.dlapiperdataprotection.com
the prevention or detection of fraud, (d) the marketing of electronic communications services, or (e) the provision of a value
added service.
Location data may only be processed in circumstances where the organisation processing such data is a public communications
provider, a provider of a value added service, or a person acting on the authority of such provider and only where the user /
subscriber cannot be identified from that data (i.e. because they are anonymous) or for the provision of a value added service with
consent.
Given the fundamental changes to the data protection regime since the e-Privacy Ordinance was introduced in 2004 and the
ongoing negotiations in Europe in relation to the so-called ‘e-Privacy Regulation’ (” “), further amendments to theRegulation
e-Privacy Ordinance are, perhaps, inevitable. The States of Guernsey continues to monitor the progress of the draft Regulation in
the meantime.
KEY CONTACTS
Carey Olsen (Guernsey) LLP
www.careyolsen.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Alexandra Gill
Associate
Carey Olsen (Guernsey) LLP
T +44 (0)1481 741546
alexandra.gill@careyolsen.com
https://www.dlapiperdataprotection.com
http://www.careyolsen.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guinea 460 | | | www.dlapiperdataprotection.com
GUINEA
Last modified 20 December 2021
LAW
Law n° L/2016/037/AN dated July 28, 2016, on Cybersecurity and Personal Data Protection in the Republic of Guinea regulates
personal data.
DEFINITIONS
Definition of personal data
Article 1 of Law No. L/2016/037/AN defines personal data as any information of any kind and regardless of its medium, including
sound and image, relating to an identified or identifiable natural person directly or indirectly, by reference to an identification
number or to one or more factors specific to his or her physical, physiological, genetic, mental, cultural, social or economic
identity.
Definition of sensitive personal data
According to Article 1 of Law No. L/2016/037/AN, sensitive data is all personal data, relating to religious, philosophical, political,
trade union opinions or activities, sexual or racial life, health, social measures, prosecution, criminal and administrative sanctions.
NATIONAL DATA PROTECTION AUTHORITY
It is provided for by Article 47 of Law on Cybersecurity and Personal Data Protection in the Republic of Guinea that the authority
in charge of personal data protection shall be established by regulatory means. The establishment of this authority is still not
effective.
REGISTRATION
Law on Cybersecurity and Personal Data protection in the Republic of Guinea provides that the processing of personal data is
subject to a prior declaration or request for authorisation of the competent authority designated by regulation.
The declaration or request for authorisation may be sent to the authority in charge of personal data protection by post, in person
at the premises of the said authority or by any other means against the delivery of an acknowledgment of receipt in due form.
The authority in charge of personal data protection has a period of two months to decide on any declaration or request submitted
or addressed to it. This period may be extended by two additional months provided that the personal data protection authority
can justify its decision or the extension.
The declaration or request for authorisation must include the commitment that the protection meets the requirements of the law
on Cybersecurity and Protection of Personal Data and any other regulations or laws in the Republic of Guinea relating to personal
data protection.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guinea 461 | | | www.dlapiperdataprotection.com
At the end of this declaration, the competent authority issues a receipt and, if necessary, by electronic means.
The applicant may then implement the processing operation upon receipt of the receipt. However, the applicant is not relieved of
any responsibility.
Processing operations carried out by the same organisation and having identical or related purposes may be subject to a single
declaration. The information required under the declaration shall be provided for each of the processing operations only insofar as
it is specific to said declaration.
Law on Cybersecurity and Personal Data Protection also provides that the modalities for filing declarations or request for
authorisation for the processing of personal data shall be determined by presidential decree. This decree has not yet been
implemented.
DATA PROTECTION OFFICERS
A data controller will have the option to appoint a data protection officer. According to article 14 and following of Law on
Cybersecurity and Personal Data Protection, the data protection officer must be a person qualified to perform such tasks. He
must keep a list of the processing operations carried out which is immediately accessible to any person who requests it, and may
not be subject to any sanction by his employer as a result of the performance of his duties.
The appointment of a data protection officer by the data controller must be notified to the authority responsible for personal data
protection. This appointment must also be brought to the attention of the employer’s staff representative bodies.
COLLECTION & PROCESSING
Law on Cybersecurity and Personal Data Protection exempts the processing of personal data from the formalities of declaration,
notably in the case of:
Processing of data used by a natural person exclusively in the course of his or her personal, domestic or family activities;
Processing of data concerning a natural person, the publication of which is prescribed by a legal or regulatory provision;
Processing of data whose sole purpose is the keeping of a register which is intended for exclusively private use; etc.
Furthermore, it is also provided that certain matters or actions are subject to prior authorisation by the competent authority
before being implemented, these include:
Processing of personal data relating to genetic and medical data and scientific research in these fields;
Processing of personal data relating to offences, convictions and security measures pronounced by the competent courts;
Processing of personal data relating to a national identification number or any other identifier of the same kind, in
particular telephone numbers;
Processing of personal data containing biometric data;
Processing of personal data for reasons of public interest, in particular for historical, statistical or scientific purposes;
The proposed transfer of personal data to a third country.
Requests for processing shall be submitted by the controller or his/her legal representative. However, the authorisation does not
exempt its holder (data controller) or his representative from their responsibility towards third parties.
TRANSFER
The data controller may be authorised to transfer such data to a third country only if the State ensures a higher or equivalent level
of protection of the privacy, fundamental rights and freedoms of individuals with regard to the processing to which such data is or
may be subject.
Before any effective transfer of personal data to the third country, the data controller must obtain prior authorisation from the
personal data protection authority. Any transfer of personal data to a third country is subject to strict and regular control by the
personal data protection authority, in the light of its purpose.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guinea 462 | | | www.dlapiperdataprotection.com
SECURITY
According to Law on Cybersecurity and Personal Data Protection, the processing of personal data is confidential, it must be
carried out exclusively by persons acting under the authority of the Data controller, and only on his instructions.
The Data controller is required to take all necessary precautions, in view of the nature of the data, and in particular to prevent it
from being distorted, damaged or accessed by unauthorised third parties.
BREACH NOTIFICATION
Law on Cybersecurity and Personal Data Protection provides that the authority in charge of personal data protection may
pronounce the following measures against the Data controller:
A warning to the said controller who does not comply with the obligations resulting from the Law on cybersecurity and
Personal Data Protection to which he is subject;
A formal notice or summons to cease or to cease the breaches noted, within the time limit set by said protection
authority.
ENFORCEMENT
Law on cybersecurity and Personal Data Protection sets out administrative, criminal, recidivism and civil liability as well as
additional publication of sanctions for breaches of the provisions of said statute.
ELECTRONIC MARKETING
Law L/2016/035/AN on electronic transactions in the Republic of Guinea provides that any advertisement, whatever its form, as
soon as it is accessible or likely to be accessible by electronic communications, must be clearly identified as an advertisement. It
must also allow the identification and identifiability of the natural or legal person on whose behalf it is made.
Advertisements and notably promotional offers, such as discounts, premiums or gifts, as well as competitions or promotional
games, sent by electronic mail, must be clearly, precisely and unequivocally identifiable on the subject of the mail as soon as they
are received by the addressee or, if technically impossible, in the body of the message.
The conditions for taking advantage of promotional offers, as well as for participating in promotional courses or games, when
offered by e-mail, should be clearly specified and easily accessible to the public.
Pursuant to Law on electronic transactions in the Republic of Guinea, direct marketing by sending messages through an automatic
calling machine or SMS, fax or e-mail or any other electronic means of communication using, in whatever form, the contact details
of a natural person who has not expressly given his or her prior consent to receive direct marketing through these channels or
means is prohibited.
However, direct marketing by e-mail, regardless of the means used, is permitted if:
The contact details of the recipient of the mail have been collected, with full knowledge of the facts, directly from him/her;
The direct prospecting is addressed to subscribers or customers of a natural or legal person whose details have been
collected with their full knowledge of the facts, for similar products and services that it offers them.
ONLINE PRIVACY
The Law on Cybersecurity and Personal Data Protection does not provide any specific rules governing online privacy.
However, the law prohibits and punishes with a prison sentence of one (1) to five (5) years and a fine of 30,000,000
to 200,000,000 Guinean francs for carrying out or attempting to carry out direct prospecting by any means of communication
using, in any form whatsoever, the personal data of a natural person who has not expressed his/her prior written consent.
In particular, it provides that any person has the right to object, on request and free of charge, to the processing of personal data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Guinea 463 | | | www.dlapiperdataprotection.com
concerning him or her and intended for prospecting purposes.
KEY CONTACTS
Sylla & Partners
syllapartners.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Mohamed Sidiki Sylla
Managing Partner
Sylla & Partners
T +224 622 28 10 16
msylla@syllapartners.com
Alpha Toubab Millimono
Associate
Sylla & Partners
T +224 620 56 33 00
amillimono@syllapartners.com
https://www.dlapiperdataprotection.com
https://syllapartners.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Haiti 464 | | | www.dlapiperdataprotection.com
HAITI
Last modified 15 February 2022
LAW
Arrêté fixant les règles relatives à la protection des données à caractère personnel, published in the official gazette, Le Moniteur, #87 of
May 15, 2018.
Code Penal, Published in the official gazette, Le Moniteur, Special #10, June 24, 2020.
DEFINITIONS
Definition of Personal Data
There is no definition on the act.
Definition of Sensitive Personal Data
Article 4 of the Decree on personal data provides that “Any release of personal data that is likely to infringe the rights and freedom of
an individual is forbidden”.
This disposition refers to sensitive personal data according to our interpretation. Thus, sensitive personal data is any data that is
likely of infringe the rights and freedom of an individual.
NATIONAL DATA PROTECTION AUTHORITY
Such entity does not exist yet in Haiti.
REGISTRATION
N/A.
DATA PROTECTION OFFICERS
N/A.
COLLECTION & PROCESSING
The person on whom the personal data is collected needs to be informed that it is being collected and will be processed.
Collection of personal data needs to relevant and necessary for the purpose of their registration. The purpose of the collection
needs to also be communicated to the person.
TRANSFER
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Haiti 465 | | | www.dlapiperdataprotection.com
If personal data is communicated to a third party, it has to be accessible with the possibility to be modified by the person on which
they have been stored.
SECURITY
The Decree provides that the personal data needs to be stored in a way to protect confidentiality and prevent disclosure. When
stored, only specific people should have access to them because of their position.
BREACH NOTIFICATION
The law does not regulate how breach of data should be handled. However, any communication of personal data (including
breaches) can be subject to criminal and administrative lawsuits.
Mandatory breach notification
No regulation on the matter.
ENFORCEMENT
No specific regulation on that matter.
Article 436, 437 of the Penal Code.
ELECTRONIC MARKETING
The Decree on data privacy requires the user’s consent whereas Article 438 (2) of the Penal Code only specifies that the person
needs to opt-out. Given that the Decree on personal data is a specific legislation on data privacy, we recommend having the user
consent prior to collecting his data.
ONLINE PRIVACY
No specific regulation on that matter.
KEY CONTACTS
Cabinet Salès
cabinetsales.com/
DATA PRIVACY TOOL
Christelle Vaval
Partner
Cabinet Salès
T +509 3881 5484
cvaval@cabinetsales.com
Jean-Frédéric Salès
Managing Partner
Cabinet Salès
T +509 2815 1500
jfsales@cabinetsales.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Haiti 466 | | | www.dlapiperdataprotection.com
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Honduras 467 | | | www.dlapiperdataprotection.com
HONDURAS
Last modified 24 January 2022
LAW
Personal data protection is regulated mainly in:
National Constitution: Article 182 provides the constitutional protection of habeas data, giving individuals the right ‘to access any file
or record, private or public, electronic or hand written, that contains information which may produce damage to personal honour
and family privacy. It is also a method to prevent the transmission or disclosure of such data, rectify inaccurate or misleading data,
update data, require confidentiality and to eliminate false information. This guarantee does not affect the secrecy of journalistic
sources.’
Law of the Civil Registry (Article 109, Decree 62-2004). This law refers only to public personal information that is contained in the
archives of the Civil Registry.
Law for Transparency and for Access to Public Information (Article 3.5, Decree 170-2006). This law enables the access of any person
to all the information contained in public entities, except that which is classified as ‘Confidential.’ It also extends the constitutional
protection of habeas data and forbids the transmission of personal information that may cause any kind of discrimination or any
moral or economic damage to people.
Rulings on the Law for Transparency and for Access to Public Information (Article 42, Accord 001-2008). Provide a definition of
databases containing personal confidential information, and requires data subject consent, prior to the use of it by any third party.
In addition, the Law for the Protection of Confidential Personal Data (the “Law”) is currently in discussion in the Honduran
Congress. Congress has approved the first chapters of the Law. The complete approval of the Law and the date for when the Law
will enter into force is expected in the first half of 2019.
DEFINITIONS
Definition of personal data
Public Personal Data under the Law of the Civil Registry is defined as: Public Data whose disclosure is not restricted in any way,
and includes the following:
Names and surnames
ID number
Date of birth and date of death
Gender
Domicile (but not address)
Job or occupation
Nationality
Civil status
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Honduras 468 | | | www.dlapiperdataprotection.com
1.
2.
Definition of sensitive personal data
The Law for Transparency and for Access to Public Information defines ‘Sensitive Personal Data’ as: “Those personal data relating
to ethnic or racial origin, physical, moral or emotional characteristics, home address, telephone number, personal electronic
address, political participation and ideology, religious or philosophical beliefs, health, physical or mental status, personal and
familiar heritage and any other information related to the honor, personal or family privacy, and self-image.”
Other Definitions:
Consent: Written and express authorization of the person to whom the personal data refers in order to disclose,
distribute, commercialize, and/or use it in a different way as it was originally given for
Confidential Information: Information provided by particular persons to the government which is declared confidential by
any law, including sealed bids for public tenders
Classified Information: Public information classified as that by the law, and / or by resolutions issued by governmental
institutions
NATIONAL DATA PROTECTION AUTHORITY
Two entities are responsible for enforcing personal data protection:
National Civil Registry
http://www.rnp.hn
Institute for the Access to Public Information
http://www.iaip.gob.hn
REGISTRATION
Only Obligated Entities must inform the Institute for the Access to Public Information of their databases. Obligated Entities are:
Government institutions
NGO’s
Entities that receive public funds, and
Trade unions with tax exemptions
The Institute for the Access to Public Information will maintain a list of the databases of the above-mentioned entities.
DATA PROTECTION OFFICERS
Only Obligated Entities must appoint a data protection officer.
COLLECTION & PROCESSING
Individuals, companies, and / or Obligated Entities that collect personal data may not use sensitive personal data or confidential
information without the consent of the person to whom such information relates.
However, consent is not required to use or transfer personal data in the following cases:
If the information is used for statistical or scientific needs, but only if the personal data is provided in a way that it cannot
be associated with the individual to whom it relates
If the information is transmitted between Obligated Entities, only if the data is used in furtherance of the authorised
functions of those entities
If ordered by a Court
https://www.dlapiperdataprotection.com
http://www.rnp.hn
http://www.iaip.gob.hn/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Honduras 469 | | | www.dlapiperdataprotection.com
If the data is needed for the purpose it was provided to the individual or company to perform a service. Such third parties
may not use personal information for purposes other than those for which it was transferred to them
In other cases established by law
TRANSFER
Individuals and / or companies may not transfer, commercialize, sell, distribute or provide access to personal data contained in
databases developed in the course of their job, except with the express and direct written consent of the person to whom that
data refers, subject to certain exceptions.
SECURITY
The Institute for the Access to Public Information has the authority to require all Obligated Entities to take necessary security
measures for the protection of the personal data they collect and / or use.
The current legislation neither clarifies nor specifically identifies the security policies or security mechanisms that Obligated
Entities must comply with.
As a general statement, the Institute for the Access to Public Information has to ensure the security of all Public Information, of all
information classified as confidential by public entities, of all sensitive personal data, and of all information to which the current
legislation gives a secrecy status.
BREACH NOTIFICATION
Breach notification is not required.
ENFORCEMENT
The Institute for the Access to Public Information may receive complaints about abuses regarding the collection of personal or
confidential data.
The Institute will impose corrective measures and establish recommendations for those persons or companies who disclose
personal data, sensitive personal data or confidential data without authorization.
ELECTRONIC MARKETING
There is no law or regulation that specifically regulates electronic marketing.
ONLINE PRIVACY
There is no law or regulation that specifically regulates online privacy.
KEY CONTACTS
Bufete Gutiérrez Falla y Asociados
www.gufalaw.com/
Julio Alejandro Pohl Garcia Prieto
Associate
T +504 2238-2455
julio.pohl@gufalaw.com
https://www.dlapiperdataprotection.com
http://www.gufalaw.com/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Honduras 470 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hong Kong, SAR 471 | | | www.dlapiperdataprotection.com
HONG KONG, SAR
Last modified 22 December 2021
LAW
The Personal Data (Privacy) Ordinance (Cap. 486) (Ordinance) regulates the collection and handling of personal data. The
Ordinance has been in force since 1996, but in 2012/2013 was significantly amended (notably with regard to direct marketing).
Most recently, the Personal Data (Privacy) (Amendment) Ordinance (“ ”) came into force in OctoberAmendment Ordinance
2021 and introduces new offences of doxxing and corresponding penalties.
At Bill stage, the Amendment Ordinance had originally included a number of other proposed amendments by the PDPO (as per
the January 2020 consultation paper): the other amendments are still being considered by the Legislative Council and there is no
indication of when these might be passed.
DEFINITIONS
Definition of personal data
Personal data is defined in the Ordinance as any data:
Relating directly or indirectly to a living individual
From which it is practicable for the identity of the individual to be directly or indirectly ascertained, and
In a form in which access to or processing of the data is practicable
The Consultation Paper proposes to expand the definition of personal data to cover anonymized information where the relevant
individual can be re-identified.
Definition of sensitive personal data
There is not a separate concept of sensitive personal data in the Ordinance. However, non-binding guidance issued by the Office
of the Privacy Commissioner for Personal Data (PCPD) (in the context of biometric data) has indicated that higher standards
should be applied as a matter of best practice to more sensitive personal data.
NATIONAL DATA PROTECTION AUTHORITY
The Office of the Privacy Commissioner for Personal Data
13/F, Sunlight Tower
248 Queen’s Road East
Wanchai
Hong Kong
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hong Kong, SAR 472 | | | www.dlapiperdataprotection.com
T +852 2827 2827
F +852 2877 7026
http://www.pcpd.org.hk/
The PCPD is responsible for overseeing compliance with the Ordinance.
REGISTRATION
Currently, there is no requirement for organizations that control the collection and use of personal data (known as “data users”)
to register with the data protection authority.
However, under the Ordinance the PCPD has the power to specify certain classes of data users to whom registration and
reporting obligations apply. Under the Data User Return Scheme (DURS), data users belonging to the specified classes are
required to submit data returns containing prescribed information to the PCPD, which will compile them into a central register
accessible by the public. However, at the time of writing, no register has been created to date. The PCPD has proposed to
implement the DURS in phases, with the initial phase covering data users from the following sectors and industries:
The public sector
Banking, insurance and telecommunications industries, and
Organizations with a large database of members ( , customer loyalty schemes)eg
A public consultation for the DURS by the PCPD was concluded in September 2011. The PCPD had originally planned to
implement the DURS in the second half of 2013. However, in January 2014, the PCPD indicated that it planned to put the DURS
on hold until the reforms of the European Union (EU) data protection system have been finalized (as the Hong Kong model is
broadly based on the same) but no exact time frame for the implementation has been announced. In light of the European Union
General Data Protection Regulation 2016/679 (GDPR), which generally eliminated the data processing registration requirements
under EU data protection law, it is unclear now whether the PCPD will implement the Hong Kong DURS scheme.
DATA PROTECTION OFFICERS
Currently, there is no legal requirement for data users to appoint a data protection officer in Hong Kong. However, in February
2014, the PCPD issued a best practice guide to advocate the development of a privacy management program and encourage data
users to appoint or designate a responsible person to oversee the data users’ compliance with the Ordinance. This role may or
may not be a full-time job, and there is no specific requirement for a Hong Kong citizen or resident to hold this role. There is no
specific enforcement action or penalty if a company does not appoint a data protection officer.
COLLECTION & PROCESSING
A “data user” (which is akin to a “data controller” under GDPR) may collect personal data from a data subject if:
The personal data is collected for a lawful purpose directly related to a function or activity of the data user
The collection is necessary for or directly related to that purpose
The data to be collected is adequate but not excessive, and
All practical steps have been taken to ensure that the data subject has been informed, on or before collection of the data,
of the following:
Whether the supply of personal data by the data subject is obligatory or voluntary and, if obligatory, the
consequences of not supplying the data
The purposes for which the data will be used
The persons to whom the data may be transferred
https://www.dlapiperdataprotection.com
http://www.pcpd.org.hk/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hong Kong, SAR 473 | | | www.dlapiperdataprotection.com
The data subject’s right to request for access to and correction of their personal data, and
The name or job title, and address, of the individual to whom requests for access or correction should be sent
Separately, additional notice requirements apply to direct marketing (see below).
Data users may only collect, use and transfer personal data for purposes notified to the data subject on collection (see above),
unless a limited exemption set out in the Ordinance applies. Any usage or transfer of personal data for new purposes requires the
prescribed consent of the data subject.
Data users are also required to take all practicable steps to ensure the accuracy and security of the personal data; to ensure it is
not kept longer than necessary for the fulfillment of the purposes for which it is to be used (including any directly related
purpose); and to keep and make generally available their policies and practices in relation to personal data.
While the Ordinance currently does not regulate data processors, the Consultation Paper proposes to regulate data processors
directly and impose direct liability on them regarding data retention, data security and data breach notification.
In October 2018, the PCPD published a “New Ethical Accountability framework.” Under the framework, the PCPD is effectively
urging businesses operating in Hong Kong to undertake privacy impact assessments – referred to as “Ethical Data Impact
Assessments”, which are already required to some extent under a number of other laws, such as China, the Philippines as well as
GDPR. More recently in 2019, the PCPD further noted that such framework and the concept of data ethics and stewardship in the
development are beneficial to fintech applications.
TRANSFER
Data users may not transfer personal data to third parties (including affiliates) unless the data subject has been informed of the
following on or before their personal data was collected:
That their personal data may be transferred
The classes of persons to whom the data may be transferred
There are currently no restrictions on transfer of personal data outside of Hong Kong, as the cross-border transfer restrictions
set out in section 33 of the Ordinance were held back and have not yet come into force. A proposal to implement section 33
(perhaps with amendments) was put forward to the Hong Kong government in 2015, but this process has been delayed. Notably,
however, these were not included in the Consultation Paper. If these restrictions come into force as currently drafted, they will
have a significant impact upon outsourcing arrangements, intragroup data sharing arrangements, compliance with overseas
reporting obligations and other activities that involve cross-border data transfer.
Nevertheless, non-binding best practice guidance published by the PCPD encourages compliance with the cross-border transfer
restrictions in section 33 of the Ordinance, which prohibit the transfer of personal data to a place outside Hong Kong unless
certain conditions are met (including a white list of jurisdictions; separate and voluntary consent obtained from the data subject;
and an enforceable data transfer agreement for which the PCPD provides suggested model clauses).
SECURITY
Data users are required by the Ordinance to take all practical steps to ensure that personal data is protected against unauthorized
or accidental access, processing, erasure, loss or use, having regard to factors including the nature of the personal data and the
harm that could result if data breaches or leaks were to occur.
Where the data user engages a data processor to process personal data on its behalf, the data user must use contractual or other
means to:
Prevent unauthorized or accidental access, processing, erasure, or loss of use of the personal data, and
Ensure that the data processor does not retain the personal data for longer than necessary
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hong Kong, SAR 474 | | | www.dlapiperdataprotection.com
The Consultation Paper proposes to require organizations to formulate and publish a clear data retention policy specifying
retention period(s) for personal data collected.
BREACH NOTIFICATION
Currently there is no mandatory requirement under the Ordinance for data users to notify authorities or data subjects about data
breaches in Hong Kong. However, according to non-binding guidance issued by the PCPD, as a matter of best practice the PCPD
encourages notification to the PCPD, and to data subjects where there would be a risk of harm by not notifying. There is a
template form to this end on the PCPD website.
Recent high profile data incidents have led regulators and politicians to consider introducing more stringent breach notification
rules. The PCPD has already hinted at increased use of compliance checks and greater publication of investigation reports as part
of “fair” enforcement of the law. Now the Consultation Paper proposes mandatory breach notification requirement for
organizations to notify a data incident to both the PCPD and the impacted data subjects within the prescribed period where there
is a real risk of significant harm.
ENFORCEMENT
The PCPD is responsible for enforcing the Ordinance. Generally, unless a specific offense applies, if a data user is found to have
contravened the data protection principles of the Ordinance, the PCPD may issue an enforcement notice requiring the data user
to take steps to rectify the contravention. Failure to abide by the enforcement notice is a criminal offense, punishable by a fine of
up to HK$50,000 and imprisonment for up to two years, as well as a daily penalty of HK$1,000 if the offense continues after
conviction. In the case of subsequent convictions, additional and more severe penalties apply. There are also certain specific
offenses under the Ordinance which are triggered directly without the intermediary step of an enforcement notice. For example:
Breach of certain provisions relating to direct marketing is punishable by a fine of up to HK$1 million and imprisonment of
up to five years, depending on the nature of the breach, and
Disclosing personal data of a data subject obtained from a data user without the data user’s consent is an offense
punishable by a fine of up to HK$1 million and imprisonment of up to five years, where such disclosure is made with
certain intent, or where the disclosure causes psychological harm to the data subject
Appeals from enforcement decisions of the PCPD may be made to the Administrative Appeals Board.
In addition to criminal sanctions, a data subject who suffers damage by reason of contravention of the Ordinance may also seek
compensation from the data user through civil proceedings. The PCPD operates an assistance scheme for data subjects in this
regard.
In light of recent high profile data incidents, the PCPD may further strengthen its enforcement against breaches of the Ordinance
through more frequent compliance checks and publication of investigation reports, as well as increased co-operation with local
and international authorities.
The Consultation Paper proposes to confer additional powers on the PCPD to impose administrative fines linked to the annual
turnover of the organization, which would, if implemented, result in a significant increase in financial penalties at a much higher
amount calculated by reference to annual turnover.
Doxxing
Under the Amendment Ordinance it is an offence to disclose, without the data subject’s consent, any personal data with an intent
to cause harm to the data subject or any family member of the data subject.
Depending on the severity of the offence, any person who commits the offence is punishable on conviction with:
a fine at level 6 (i.e. HK$ 100,000) and to imprisonment for 2 years; or
a fine of HK$ 1,000,000 and to imprisonment for 5 years if the disclosure causes harm to the data subject or any family
member of the data subject.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hong Kong, SAR 475 | | | www.dlapiperdataprotection.com
The PCPD is now also empowered to conduct criminal investigations and commence prosecution for doxxing offences. Among
other things:
The PCPD is granted wide powers under the Amendment Ordinance to access documents and information from any
person, or require any person to answer questions or provide relevant materials to facilitate an investigation in relation to
doxxing offences.
The PCPD may also, with a warrant, enter premises and seize any materials or devices in the premises which may be
relevant to the investigation as well as decrypt any material stored in these devices.
As the anti-doxxing provisions have extra-territorial effect, the PCPD is now empowered to serve cessation notices to operators
of electronic platforms including websites and online applications (regardless of whether these operators are based in Hong Kong
or outside Hong Kong) where personal data has been disclosed without the individual’s consent. The cessation notices will require
the recipient of the notice to take steps to remove the doxxing content or restrict the disclosure of personal data which has been
made.
Failure to comply with the cessation notice is an offence. Persons contravening the offence will be liable, on first conviction, to a
fine at level 5 (i.e. at HK$50,000) and to imprisonment for two years.
ELECTRONIC MARKETING
Specific provisions of the Ordinance govern the use and sharing of personal data for the purposes of direct marketing (meaning
the offering, or advertising the availability of goods, facilities or services, or the solicitation of donations or contributions for
charitable, cultural, philanthropic, recreational, political or other purposes), when such marketing is conducted through “direct
marketing means” (being the sending of information or goods, addressed to specific persons by name, by mail, fax, electronic mail
or other means of communication; or making telephone calls to specific persons).
The direct marketing provisions generally require data users who wish to use personal data for the data user’s own direct
marketing purposes to obtain prior consent from the data subject for such action and notify the data subject as follows:
That the data user intends to use the individual’s personal data for direct marketing
That the data user may not so use the personal data unless the data subject has received the data subject’s consent to the
intended use
The kind(s) of personal data to be used
The class(es) of marketing subjects (i.e. goods / services to be marketed) in relation to which the data is to be used, and
The response channel through which the individual may, without charge, communicate the individual’s consent to the
intended use
Furthermore, if the consent was given orally, data users have the additional obligation to send a written confirmation to the data
subject confirming the particulars of the consent received.
The direct marketing provisions generally require data users who wish to share personal data with a group company or a third
party for their direct marketing purposes (e.g. for joint marketing, or in connection with a sale of a marketing list) to obtain their
prior written consent and to notify the data subject as follows:
That the data user intends to provide the individual’s personal data to another person for use by that person in direct
marketing
That the data user may not so provide the data unless the data user has received the individual’s written consent to the
intended provision
That the provision of the personal data is for gain (if it is to be so provided)
The kind(s) of personal data to be provided
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hong Kong, SAR 476 | | | www.dlapiperdataprotection.com
The class(es) of persons to which the data is to be provided
The class(es) of marketing subjects (i.e. goods/services to be marketed) in relation to which the data is to be used, and
The response channel through which the individual may, without charge, communicate the individual’s consent to the
intended use
When data users use personal data for the purposes of direct marketing for the first time, they must inform the subjects that they
may opt out at any time, free of charge. In practice, it is common for subsequent direct marketing communications in Hong Kong
to contain unsubscribe functions, not just in the first message.
Hong Kong’s anti-spam framework is set out in the Unsolicited Electronic Messages Ordinance (Cap. 593), under which three
types of Do-Not-Call (DNC) registers are maintained, namely the DNC for fax, short messages and pre-recorded telephone
messages. Person-to-person telemarketing calls are not regulated by this framework.
In 2019, a legislative proposal was published to implement the new DNC to provide an “opt out” framework to permit recipients
to request to stop receiving person-to-person telemarketing calls. The Government is currently drafting the relevant bill.
ONLINE PRIVACY
The principles as stated in the Ordinance also apply in the online environment. For example, under the Ordinance, data users have
the obligation to inform data subjects of the purposes for collecting their personal data, even if personal data is collected through
the Internet. If a website uses cookies to collect personal data from its visitors, this should be made known to them. Data users
should also inform the visitors whether and how non-acceptance of the cookies will affect the functionality of the website.
With the coming into effect of the Amendment Ordinance, a new anti-doxxing law is now in force in Hong Kong. It is now an
offence to disclose any personal data without the data subject’s consent with an intent to cause harm to the data subject or any
family member of the data subject.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Carolyn Bigg
Partner, Global Co-Chair of Data Protection, Privacy and Security Group
T +852 2103 0576
carolyn.bigg@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hungary 477 | | | www.dlapiperdataprotection.com
HUNGARY
Last modified 22 January 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The Hungarian Parliament implemented the GDPR into Hungarian laws by amending Act CXII of 2011 on the Right of
Informational Self-Determination and on Freedom of Information. As of 26 April 2019 all the relevant sectorial laws were
also amended in Hungary in order to comply with the provisions of the GDPR.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hungary 478 | | | www.dlapiperdataprotection.com
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The Hungarian Supervisory Authority is the Hungarian National Authority for Data Protection and Freedom of
Information (in Hungarian: ).Nemzeti Adatvédelmi és Információszabadság Hatóság
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hungary 479 | | | www.dlapiperdataprotection.com
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hungary 480 | | | www.dlapiperdataprotection.com
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hungary 481 | | | www.dlapiperdataprotection.com
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hungary 482 | | | www.dlapiperdataprotection.com
a.
b.
c.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hungary 483 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
a.
b.
c.
d.
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses and derogations. On 16 July
2020 the Court of Justice of the European Union (CJEU) in its decision invalidated the EU-US Privacy Shield Framework,Schrems II
and created new obligations, notably for businesses transferring personal data pursuant to standard contractual clauses. The CJEU
affirmed that the protections of EU law for personal data must follow the data when transferred outside the EU; the protection
provided in the destination country must be essentially equivalent to EU laws. The CJEU specifically tasked exporters with
assessing transfers case by case, and putting into place supplementary measures whenever necessary to ensure essential
equivalency. Such measures are variously technical, organizational or contractual in nature. The GDPR has removed the need
which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard
contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defense of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hungary 484 | | | www.dlapiperdataprotection.com
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hungary 485 | | | www.dlapiperdataprotection.com
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (eg,
an email address is likely to be ‘personal data’ for the purposes of the Act).
Also, pursuant to Act No. XLVIII of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising
Activities, unless otherwise provided by specific other legislation, advertisements may be conveyed to natural persons by way of
direct contact (hereinafter referred to as ‘direct marketing’), such as through electronic mail or equivalent individual
communications only upon the express prior consent of the person to whom the advertisement is addressed. The request for the
consent may not contain any advertisement, other than the name and description of the company.
The statement of consent may be made in any way or form, on condition that it contains the name of the person providing it, and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hungary 486 | | | www.dlapiperdataprotection.com
– if the advertisement to which the consent pertains may be disseminated only to persons of a specific age – his place and date of
birth, furthermore, any other personal data authorized for processing by the person providing the statement, including an
indication that it was given freely and in possession of the necessary legal information.
The statement of consent may be withdrawn freely any time, free of charge and without any explanation. In this case all personal
data of the person who has provided the statement must be promptly erased from the records and all advertisements must be
stopped.
Pursuant to Act No. C of 2003 on Electronic Communications (‘EC Act’), applying automated calling system free of any human
intervention, or any other automated device for initiating communication in respect of a subscriber for the purposes of direct
marketing, providing information, public-opinion polling and market research shall be subject to the prior consent of the
subscriber.
ONLINE PRIVACY
The EC Act deals with the collection of location and traffic data by public electronic communications services providers (‘CSPs’)
and use of cookies (and similar technologies).
Traffic Data
With certain special exceptions set out in the EC Act ( invoicing, collecting subscriber fees, law enforcement, national securityeg,
and defense), traffic data relating to subscribers and users processed and stored by CSPs while providing such services must be
erased or made anonymous when it is no longer needed.
CSPs may use certain traffic data as referred to in the EC Act for the provision of value added services or for marketing purposes
subject to the subscriber’s or user’s prior consent, to the extent necessary for the provision of such services or for marketing
purposes. CSPs shall provide the possibility for users or subscribers to withdraw their consent at any time.
Location Data
CSPs shall be authorized to process location data only upon the prior consent of the subscribers or users to whom the data are
related, and only to the extent and for the duration as it is necessary for the provision of value added services.
Users and subscribers shall have the right to withdraw their consent at any time.
CSPs shall be required to comply with any request for location information in connection with specific subscribers or users, if
made by the investigating authority, the public prosecutor, the court or the national security service pursuant to the authorization
conferred in specific other legislation, to the extent required to discharge their respective duties.
Cookie Compliance
Pursuant to the EC Act, on the electronic communication terminal equipment of a subscriber or user, information may be stored,
or accessed, only upon the user’s or subscriber’s prior consent granted in possession of clear and comprehensive information,
which information inter alia includes the purpose of processing.
The European Data Protection Board issued a guidance in respect of the interpretation of ‘consent’ and how this consent should
be obtained in practice. This guidance shall apply to the implementation of cookies as well. General practice is that consent should
be obtained by means of a cookie banner. It needs to be ensured that no cookies are set / placed prior to the declaration of
consent.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Hungary 487 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Zoltan Kozma
Counsel
T +3615101154
zoltan.kozma@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 488 | | | www.dlapiperdataprotection.com
ICELAND
Last modified 22 January 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The Act No. 90/2018 on Data Protection and the Processing of Personal Data (the ‘DPA’) implements the GDPR in
Iceland. The law contains derogations and exemptions from the position under the GDPR in certain permitted areas.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 489 | | | www.dlapiperdataprotection.com
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The DPA defines a public authority or body in accordance with Article 1 of the Administrative Procedures Act no.
37/1993. The term public authority refers to all parties, institutions, committees, etc. which are governed by state and
local government.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The Data Protection Authority (Icelandic: ‘ ’) is the supervisory authority in Iceland for the purposes of ArticlePersónuvernd
51 of the GDPR.
Contact details:
– The Icelandic Data Protection Authority Persónuvernd
Rauðarárstígur 10, 105 Reykjavík, Iceland.
Tel. +354 510-9600
e-mail: postur@personuvernd.is
www.personuvernd.is
The Board of Directors and employees of the Data Protection Authority have an obligation of confidentiality in
accordance with Chapter X of the Icelandic Administrative Procedures Act no. 37/1993. The same applies to others who
work on behalf of the Authority.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
https://www.dlapiperdataprotection.com
https://www.personuvernd.is
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 490 | | | www.dlapiperdataprotection.com
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
According to Article 31 of the DPA, controllers need to consult with and obtain prior authorization from the supervisory
authority in relation to processing by a controller for the performance of a task carried out in the public interest, including
processing in relation to social protection and public health. The GDPR generally implies certain withdrawal from the
previous policy that processing of personal data may be based on licenses, but this Article in the DPA is an exception.
Article 30 of the DPA implements the requirement to consult the supervisory authority in certain cases following a data
protection impact assessment. Furthermore advertisement no. 828/2019 lists the processing activities that require a data
protection impact assessment.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 491 | | | www.dlapiperdataprotection.com
Iceland did not extend the requirement to appoint a Data Protection Officer, cv. Article 37(4) of the GDPR.
The DPA defines a public authority or body in accordance with Article 1 of the Administrative Procedures Act no.
37/1993. The term public authority refers to all parties, institutions, committees, etc. which are governed by state and
local government. According to the bill to the DPA, it is regarded desirable that companies entrusted with certain projects
for the public interest designate a Data Protection Officer with regard to those projects.
The Data Protection Officer has an obligation of confidentiality in accordance with Chapter X of the Icelandic
Administrative Procedures Act no. 37/1993.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 492 | | | www.dlapiperdataprotection.com
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 493 | | | www.dlapiperdataprotection.com
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 494 | | | www.dlapiperdataprotection.com
a.
b.
c.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Criminal convictions and offences data (Article 10)
According to Article 12 of the DPA, processing of personal data relating to criminal convictions and offences is subject to
certain conditions and the processing must be based on one of the legal basis in Article 9 of the DPA, cf. Article 6(1) of
the GDPR.
According to Article 12(1) of the DPA, authorities may not process data relating to criminal convictions and offences
unless it is necessary for the purpose of their statutory tasks.
According to Article 12(2) of the DPA, the data cannot be disclosed unless:
the data subject has explicitly given its consent for the disclosure
disclosure is necessary for the legitimate interests of the public or private sector which obviously outweigh the
interests of the confidentiality of the data, including the interests of the data subject
the disclosure is necessary for the legitimate tasks of the relevant authority or for the authority’s decision or
disclosure is necessary for public-sector projects that have been legally assigned to private parties
Private entities cannot process information on criminal convictions and offences unless the data subject has given its
explicit consent or the processing is necessary for legitimate interests which obviously outweigh the interest of the data
subject.
Children’s consent to information society services (Article 8)
Article 8(1) of the GDPR stipulates that a child may only provide their own consent to processing in respect of
information society (primarily, online) services, where that child is over 16 years of age, unless member state law applies a
lower age. The DPA reduces the age of consent for these purposes to 13 years for Iceland, cf. Article 10(5).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 495 | | | www.dlapiperdataprotection.com
a.
b.
c.
Data subject’s rights
The data subject has the right to be informed about the processing of his personal data, however, Article 17 of the DPA
implements certain restrictions from these rights.
According to Article 17(3) of the DPA, Articles 13(1)-(3), 14(1)-(4) and 15 of the GDPR regarding the data subjects’ rights
do not apply if the interests of individuals linked to the personal data, including the interests of the data subject itself,
outweigh the interests of the data subject.
The rights granted to the data subject in Articles 13 – 15 of the GDPR can be restricted with a legislative measure if such
a limitation of fundamental rights and freedoms constitutes necessary and proportionate measure in a democratic society
to safeguard:
national security
national defense
public security
the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties,
including safeguarding against and preventing threats to public security
other important objectives of general public interest, in particular those of economic or financial interest including
monetary, budgetary and taxation matters, public health and social security
the protection of the data subject, the vital interests of the public or the fundamental rights of others
the enforcement of civil law claims
legal obligation of professional secrecy
The right to restrict the data subjects right also applies to personal data in working documents used in preparation for the
controllers’ decisions if it has not been distributed to others, to the extent necessary to ensure the preparation of the
proceedings.
Information regarding cases that are being processed by authorities may be exempted from access according to Article
15(1) of the GDPR to the same extent as applies according to the Information Act no. 140/2012 and the Administrative
Procedures Act no. 37/1993.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 496 | | | www.dlapiperdataprotection.com
c.
d.
e.
f.
g.
a.
b.
c.
d.
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defense of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
Article 16 of the DPA implements the provisions of GDPR on the transfer of personal data to another country or
international organisations into Icelandic legislation. Furthermore advertisement no. 228/2010 prescribes for the transfer
of personal data to other countries.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
Chapter IV of the DPA implements the provisions of GDRP on security measures into Icelandic legislation.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 497 | | | www.dlapiperdataprotection.com
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
Regarding the security of the processing and notification of a personal data breach, Articles 32 and 33 of the GDPR are
implemented in the DPA without alterations in Article 27.
The Icelandic Data Protection Authority has issued guidelines for notifications of security breaches which are based on the
instructions of the Article 29 Working Party on security breaches and has provided a form for notification purposes.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 498 | | | www.dlapiperdataprotection.com
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
Non-compliance with the instructions of the Data Protection Authority regarding a) temporary or definitive limitation
including a ban on processing, b) rectification or erasure of personal data or restriction of processing and the notification
of such actions to recipients to whom the personal data have been disclosed, or c) suspension of data flows to a recipient
in a third country or to an international organization, can lead to daily fines until necessary improvements have been
made. Fines can amount up to ISK 200,000 (approximately 1,600 euros) for each day that passes without the Data
Protection Authority’s instructions being observed.
Breaches of the DPA can lead to fines from ISK 100,000 (approximately 800 euros) to 1,2 billion ISK (approximately 9,600
euros) (in relation to Article 83(4) of the GDPR) and ISK 100,000 to ISK 2,4 billion (approximately 19,280 euros) (in
relation to Articles 83(5)-83(6) of the GDPR), cf. Article 46 of the DPA.
Major breaches can also lead to imprisonment up to 3 years and breach of confidentiality of a data protection officer can
lead to fines or imprisonment up to 1 year and in severe cases, up to 3 years, cf. Article 48 of the DPA.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 499 | | | www.dlapiperdataprotection.com
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
Based on the Electronic Communications Act No 81/2003 the use of electronic communications systems, including for email and
other direct marketing, is only allowed if a subscriber has given prior consent.
If the email address has been obtained in the context of the sale of a good or service, the controller may use it for direct
marketing of the controller’s own goods or services to customers who have not objected to receiving email marketing from the
controller, provided the customers are given the opportunity, free of charge, to object to such use of their email address when it
is collected and each time a message is sent.
Further, all marketing emails must include the name and address of the party responsible for the marketing.
ONLINE PRIVACY
There are no provisions in Icelandic legislation that specifically deal with the use of cookies or location data. However, location
data and IP addresses are considered personal data under the Data Protection Act.
If the use of cookies leads to the use of IP addresses or other personal data, the processing of such data must comply with the
Data Protection Act. The processing is therefore not permissible unless one of the listed conditions is met, in most instances the
data subject must consent to the processing of such data.
KEY CONTACTS
LOGOS Legal Services
www.logoslegalservices.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Hjördís Halldórsdóttir
Partner
LOGOS Legal Services
T +354 5 400 300
hjordis@logos.is
Áslaug Björgvinsdóttir
Partner
LOGOS Legal Services www.logoslegalservices.com
T +354 5 400 300
aslaug@logos.is
https://www.dlapiperdataprotection.com
http://www.logoslegalservices.com
https://www.dlapiperdataprotection.com/scorebox/
https://en.logos.is/
https://en.logos.is/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iceland 500 | | | www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World India 501 | | | www.dlapiperdataprotection.com
INDIA
Last modified 30 November 2021
LAW
At present, the Information Technology Act, 2000 (the Act) and rules notified thereunder largely govern data protection in India.
On August 24, 2017, a Constitutional Bench of nine judges of the Supreme Court of India in Justice K.S.Puttaswamy (Retd.) v. Union
[Writ Petition No. 494/ 2012] upheld that privacy is a fundamental right, which is entrenched in Article 21 [Right to Life &of India
Liberty] of the Constitution. This led to the formulation of a comprehensive Personal Data Protection Bill 2019 (the PDP Bill) .1
The enactment of the PDP Bill will overhaul the personal data protection and regulatory regime in India. Until such time, the Act
and rules provided therein govern data privacy in India. The PDP Bill is currently pending consideration of the Indian Parliament
and may undergo significant changes to its current form, based on a report submitted by a Joint Parliamentary Committee formed
to analyse the PDP Bill. The PDP Bill is expected to come into effect in early 2022.
India’s IT Ministry adopted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data
or Information) Rules (Privacy Rules), notified under the Act. The Privacy Rules, which took effect in 2011, require corporate
entities collecting, processing and storing personal information, including sensitive personal information, to comply with certain
procedures. It distinguishes both ‘personal information’ and ‘sensitive personal information’, as defined below.
In August 2011, India’s Ministry of Communications and Information issued a ‘Press Note’ Technology (Clarification on the Privacy
Rules), which provided that any Indian outsourcing service provider/organization providing services relating to the collection,
storage, dealing or handling of sensitive personal information or personal information under contractual obligation with any legal
entity located within or outside India is not subject to collection and disclosure of information requirements, including the consent
requirements discussed below, provided that they do not have direct contact with the data subjects (providers of information)
when providing their services.
As stated above, India is in the process of overhauling its personal data protection regime. However, there is a possibility of a new
regulatory framework for non-personal data in India. The Ministry of Electronics & Information Technology in the year 2019
formed a committee to make recommendations for the consideration of the Central Government on the regulation of
non-personal data (NPD) and released its report on non-personal data governance framework (the NPD Report). The NPD
Report defines NPD as data which is not personal data as defined under the PDP Bill or data without any personally identifiable
information. The NPD Report, among others, recommends that appropriate standards of anonymization of NPD be defined to
prevent/minimize the risks of re-identification. It remains to be seen if NPD will also be regulated under the PDP Bill and how it
will impact various stakeholders.
Note 1: This Bill was introduced in the Lower House of the Parliament on December 11, 2019. It proposes a legal framework to
protect the autonomy of individuals in relation to their personal data, to specify where the flow and usage of personal data is
appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World India 502 | | | www.dlapiperdataprotection.com
individuals whose personal data are processed, to create a framework for implementing organizational and technical measures in
processing personal data, to lay down norms for cross-border transfers of personal data, to ensure the accountability of entities
processing personal data, to provide remedies for unauthorized and harmful processing, and to establish a Data Protection
Authority for overseeing processing activities. The PDP Bill is pending consideration of the Indian Parliament.
DEFINITIONS
Definition of personal data
The Privacy Rules define “personal information” as any information that relates to a natural person, which either directly or
indirectly, in combination with other information that is available or likely to be available to a corporate entity, is capable of
identifying such person.
Definition of sensitive personal data
The Privacy Rules define “sensitive personal data or information” to include the following information relating to:
Passwords
Financial information , bank account/credit or debit card or other payment instrument detailseg
Physical, physiological and mental health conditions
Sexual orientation
Medical records and history
Biometric information
Any detail relating to the above clauses as provided to a corporate entity for providing services
Any of the information received under the above clauses for storing or processing under lawful contract or otherwise
Biometrics means the technologies that measure and analyze human body characteristics, such as fingerprints, eye retinas and
irises, voice patterns, facial patterns, hand measurements and DNA for authentication purposes.
However, any information that is freely available in the public domain is exempt from the above definition.
NATIONAL DATA PROTECTION AUTHORITY
No such authority exists.
REGISTRATION
No requirement.
DATA PROTECTION OFFICERS
Every corporate entity collecting sensitive personal information must appoint a Grievance Officer to address complaints relating to
the processing of such information, and to respond to data subject access and correction requests in an expeditious manner but
within one month from the date of receipt of the request or grievance.
There is no specific requirement that the data protection officer must be a citizen of or resident of India, nor are there any
specific enforcement actions or penalties associated with not appointing a data protection officer correctly. However, appointment
of a data protection officer is part of the statutory due diligence process and it is thus imperative that such an officer should be
appointed.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World India 503 | | | www.dlapiperdataprotection.com
COLLECTION & PROCESSING
Under the Act, if a corporate entity that possesses, manages or handles any sensitive personal information in a computer resource
that it owns, controls or operates, is negligent in implementing and maintaining compliance with the Privacy Rules, and its
negligence causes wrongful loss or wrongful gain to any person, the corporate entity shall be liable for damages to the person(s)
affected.
The Privacy Rules state that any corporate entity or any person acting on its behalf that collects sensitive personal information
must obtain written consent (through letter, email or fax) from the providers of that information. However, the August 2011
Press Note issued by the IT Ministry clarifies that consent may be given by any mode of electronic communication.
The Privacy Rules also mandate that any corporate entity (or any person, who on behalf of such entity) that collects, receives,
possess, stores, deals or handles information shall provide a privacy policy that discloses its practices regarding the handling and
disclosure of personal information, including sensitive personal information, and ensure that the policy is available for view,
including on the website of the corporate entity (or the person acting on its behalf). Specifically, the corporate entity must ensure
that the person to whom the information relates is notified of the following at the time of collection of sensitive personal
information or other personal information:
The fact that the information is being collected
The purpose for which the information is being collected
The intended recipients of the information
The name and address of the agency that is collecting the information and the agency that will retain the information
Further, sensitive personal information may only be collected for a lawful purpose connected with a function or purpose of the
corporate entity and only if such collection is considered necessary for that purpose. The corporate entity must also ensure that it
does not retain the sensitive personal information for longer than it is required and should also ensure that the sensitive personal
information is being used for the purpose for which it was collected.
A corporate entity or any person acting on its behalf is obligated to enable the providers of information to review the information
they had so provided and also to ensure that any personal information or sensitive personal information that is found to be
inaccurate or deficient is corrected upon request. Further, the provider of information has to be provided a right to opt out (ie,
he/she will be able to withdraw his or her consent) even after consent has been provided. However, the corporate entity will not
be held responsible for the authenticity of the personal information or sensitive personal information given by the provider of
information to such corporate entity or any other person acting on its behalf.
TRANSFER
The data collector must obtain the consent of the provider of the information for any transfer of sensitive personal information to
any other corporate entity or person in India, or to any other country that ensures the same level of data protection as provided
for under the Privacy Rules. However, consent is not necessary for the transfer if it is required for the performance of a lawful
contract between the corporate entity (or any person acting on its behalf) and the provider of information or as otherwise
specified in the Act.
A corporate entity may not transfer any sensitive personal information to another person or entity that does not maintain the
same level of data protection as required by the Act.
The contract regulating the data transfer should contain adequate indemnity provisions for a third party breach, should clearly
specify the end purposes of the data processing (including who has access to such data) and should specify a mode of transfer that
is adequately secured and safe.
Further, under the Act, it is an offense for any person who has pursuant to a contract gained access to any material containing
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World India 504 | | | www.dlapiperdataprotection.com
personal information to disclose that information without the consent of the person concerned, and with the intent to cause or
knowing that he is likely to cause wrongful loss or wrongful gain.
Thus, contracts should also specifically include provisions:
Entitling the data collector to distinguish between ‘personal information’ and ‘sensitive personal information’ that it wishes
to collect/process, and
Representing that the consent of the person(s) concerned has been obtained for collection and disclosure of personal
information or sensitive personal information, and outlining the liability of the third party
Data Localization
India’s central bank, the Reserve Bank of India (RBI) has made it mandatory from October 15, 2018, for all payment system
providers and their service providers, intermediaries, third party vendors and other entities in the payment ecosystem to ensure
that all data relating to payment systems operated by them are stored in a system only in India. Interestingly, by virtue of this
regulation, RBI is seeking storage of all payment system data, which includes the entire payment processing cycle from request to
final payout.
SECURITY
A corporate entity possessing, dealing or handling any sensitive personal information in a computer resource which it owns,
controls or operates is required to implement and maintain reasonable security practices and procedures to secure the sensitive
personal information. The reasonable security practices and procedures may be specified in an agreement between the parties.
Further, the Privacy Rules provide that in the absence of such agreement ‘reasonable security practices and procedures’ to be
adopted by any corporate entity to secure sensitive personal information are procedures that comply with the IS/ISO/IEC 27001
standard or with the codes of best practices for data protection as approved by the federal government. Presently, no such codes
of best practices have been approved by the federal government.
BREACH NOTIFICATION
The government of India has established and authorized the Indian Computer Emergency Response Team (“Cert-In”) to collect,
analyze and disseminate information on cyber incidents, provide forecasts and alerts of cybersecurity incidents, provide emergency
measures for handling cybersecurity incidents and coordinate cyber incident response activities.
The Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties)
Rules, 2013 (“Cert-In Rules”) impose mandatory notification requirements on service providers, intermediaries, data centers and
corporate entities, upon the occurrence of certain cybersecurity incidents.
Cybersecurity incidents have been defined to mean any real or suspected adverse events, in relation to cybersecurity, that violate
any explicitly or implicitly applicable security policy, resulting in:
Unauthorized access, denial or disruption of service
Unauthorized use of a computer resource for processing or storage of information
Changes to data or information without authorization
The occurrence of the following types of cybersecurity incidents trigger the notification requirements under the Cert-In Rules:
Targeted scanning or probing of critical networks or systems
Compromise of critical information or system
Unauthorized access of IT systems or data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World India 505 | | | www.dlapiperdataprotection.com
Defacement of websites or intrusion into websites and unauthorized changes, such as inserting malicious codes or links to
external websites
Malicious code attacks such as spreading viruses, worms, Trojans, Botnets or Spyware
Attacks on servers such as Database, Mail and DNS or network devices such as Routers
Identity theft, Spoofing and phishing attacks
Denial of service (DoS) and Distributed Denial of service (DDoS) attacks
Attacks on critical infrastructure, SCADA systems and wireless networks
Attacks on applications such as e-governance and e-commerce
Upon the occurrence of any of the aforementioned events, companies are required to notify the Cert-In within reasonable time,
so as to leave scope for appropriate action by the authorities. However, it is important to follow breach notice obligations, which
would depend upon the “place of occurrence of such breaches” and whether or not Indian customers have been targeted. The
format and procedure for reporting of cybersecurity incidents have been provided by Cert-In on its .official website
ENFORCEMENT
Civil penalties of up to approximately €555,930 (as at November 30, 2021) for failure to protect data including sensitive personal
information may be imposed by an Adjudicating Officer; damages in a civil suit may exceed this amount.
Criminal penalties of up to three years of imprisonment or a fine up to approximately €5,560 (as at November 30, 2021), or both
for unlawful disclosure of information.
ELECTRONIC MARKETING
The Act does not refer to electronic marketing directly. Dishonestly receiving data, computer database or software is an offense.
However, in a related development, the Food Safety and Standards Authority of India (FSSAI) has made it mandatory for
E-commerce FBOs (Food Business Operators) to obtain a license from the Central Licensing Authority. E-commerce FBO means
any Food Business Operator carrying out any of the activities in section 3(n) of Food Safety & Standards Act, 2006, through the
medium of e-commerce. Interestingly, section 3(n) covers the entire food chain as it defines “food business” as any undertaking,
whether for-profit or not, and whether public or private, carrying out any of the activities related to any stage of manufacture,
processing, packaging, storage, transportation, distribution of food, import and includes food services, catering services, sale of
food or food ingredients. Similarly, another set of legal Rules being referred as “E-commerce & the Legal Metrology (Packaged
Commodities) Amendment Rules, 2017,” effective from January 1, 2018, has made it mandatory for an e-commerce entity to
ensure mandatory declarations about the commodity displayed on the digital and electronic network used for e-commerce
transactions.
The consumer protection regime in India was recently overhauled by way of enactment of the Consumer Protection Act, 2019
(notified in July 2020) (CPA 2019). Under CPA 2019, sellers and service providers have the obligation to, among others, not
engage in unfair trade practices including by way of misleading advertisements. Further, Consumer Protection (E-Commerce)
Rules, 2020 (E-Commerce Rules) have been notified under the CPA to regulate e-commerce entities in India. An ‘e-commerce
entity’ has been defined to mean any person who owns, operates or manages digital or electronic facility or platform for electronic
commerce, but does not include a seller offering his goods or services for sale on a marketplace e-commerce entity. E-commerce
entities are required to set up a proper grievance redressal mechanism and consumer complaints should be acknowledged by the
grievance officer within a stipulated timeline. E-commerce entities are further required to, among others, provide information in
relation to refund, exchange, warranty, delivery, mode of payment, fees and charges, grievance process and other relevant
information on their platform. The price (total and a break up) of goods or services should be mentioned clearly and misleading
advertisements and misrepresentation are prohibited.
The Privacy Rules also provide the right to “opt out” of email marketing, and the company’s privacy policy must address marketing
and information collection practices. Further, the National Do Not Call (NDNC) Registry is effectively implemented by the
https://www.dlapiperdataprotection.com
http://www.cert-in.org.in/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World India 506 | | | www.dlapiperdataprotection.com
Telecom Regulatory Authority of India (TRAI). TRAI has also established the Telecom Commercial Communication Customer
Preference Portal, , a national data base containing a list of the telephone numbers of all subscribers who have registered theirie
preferences regarding the receipt of commercial communications. Telemarketing companies may lose their license for repeated
violation of DNC norms.
ONLINE PRIVACY
There is no regulation of cookies, behavioral advertising or location data. However, it is advisable to obtain user consent, such as
through appropriate disclaimers.
However, the IT Act contains both civil and a criminal offenses for a variety of computer crimes:
Any person who introduces or causes to be introduced any computer contaminant into any computer, computer system
or computer network may be fined up to approximately €555,930 (as at November 30, 2021) (by an Adjudicating Officer);
damages in a civil suit may exceed this amount. Under the IT Act, ‘computer contaminant’ is defined as any set of
computer instructions that are designed:
To modify, destroy, record, or transmit data or programs residing within a computer, computer system or
computer network, or
By any means to usurp the normal operation of the computer, computer system or computer network
Any person, who fraudulently or dishonestly makes use of the electronic signature, password or any other unique
identification feature of any other person, is subject to a prison term of up to three years and a fine up to approximately €
1,110 (as at November 30, 2021).
KEY CONTACTS
J. Sagar Associates
www.jsalaw.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Sajai Singh
Partner
J. Sagar Associates
T +91 80 435 03627
sajai@jsalaw.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Indonesia 507 | | | www.dlapiperdataprotection.com
INDONESIA
Last modified 17 December 2021
LAW
Specific regulations
In Indonesia, as of the date of this publication there is no general law on data protection. However, there are certain regulations
concerning the use of electronic data. The primary sources of the management of electronic information and transactions are Law
No. 11 of 2008 regarding Electronic Information and Transactions (” ”) as amended by Law No. 19 of 2016 regarding theEIT Law
Amendment of EIT Law (” “), Government Regulation No. 71 of 2019 regarding Provisions of ElectronicEIT Law Amendment
Systems and Transactions ( “) and its implementing regulation, and Minister of Communication & Informatics Regulation”Reg. 71
No. 20 of 2016 regarding the Protection of Personal Data in an Electronic System (” “).MOCI Reg. 20/2016
However, for a number of years, a new draft Bill on the Protection of Private Personal Data (” “) is being discussed but to thisBill
date it has not been issued. Although the exact date remains uncertain and the Bill is still to be considered by the House of
Representatives, if passed, this will become Indonesia’s first comprehensive law to specifically deal with the issue of data privacy.
In addition to the provisions under EIT Law, Reg. 71 and MOCI Reg. 20/2016, there are also a series of regulations which also
cover certain provisions which may relate to data protection, such as:
Telecommunications sector
Article 40 of Law No. 36 of 1999 regarding Telecommunications as partially amended by Law No. 11 of 2020 on Job Creation or
generally referred to as the Omnibus Law (” “) provides that any person is prohibited from any kindTelecommunications Law
of tapping of information transmitted through any kind of telecommunications network. Article 42 paragraph (1) of the
Telecommunications Law stipulates that any telecommunications services operator has to keep confidential any information
transmitted or received by a telecommunications service subscriber through telecommunications networks or telecommunications
services provided by the relevant operator .[1]
Public information sector
Article 6 paragraph (3) point c of Law No. 14 of 2008 regarding Disclosure of Public Information (“ ”)Public Information Law [2]
provides that information relating to personal rights may not be disclosed by public bodies. Furthermore, Article 17 point (h) of
the Public Information Law, together with other laws, prohibits the disclosure of private information of any person, particularly
that which concerns family history; medical and psychological history; financial information (including assets, earnings and bank
records), evaluation records concerning a person’s capability / recommendation / intellectual, and/or formal and informal
education records.
Banking and capital markets sectors
Data privacy in this sector is regulated under Law 7 of 1992 as amended by Law 10 of 1998 on Banking and as partially amended
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Indonesia 508 | | | www.dlapiperdataprotection.com
1.
2.
by Law No. 11 on Job Creation (” ”) and Law 8 of 1995 on Capital Markets (” ”) respectively.Banking Law Capital Markets Law
The regulations apply to both individuals and corporate data [3].
Article 21 paragraph (2) of Financial Services Authority Regulation No. 38/POJK.03/2016 as partially amended by Financial Services
Authority Regulation No. 13/POJK.03/2020 on the Implementation of Risk Management in the Utilization of Information
Technology by the Bank stipulates that the bank’s customer data transfer (by way of establishing a data center or a data processing
outside Indonesia territory) necessitates prior approval being obtained from the Financial Services Authority (” “) .FSA [4]
[1] Please note that Omnibus Law only partially amend Telecommunications Law, thus Articles 40 and 42 of the
Telecommunications Law are still valid and fully enforced.
[2] Please note that Law No. 14 of 2008 regarding Disclosure of Public Information has been partially amended with Constitutional
Court Judgement Number 77 / PUU-XIV / 2016, however Articles 6 and 17 of Law No. 14 of 2008 regarding Disclosure of Public
Information have not been amended.
[3] Please note that the Omnibus Law does not amend the Articles that governs data protection in Banking Law.
[4] Please note that Article 21 paragraph (2) of the FSA Regulation No. 38/POJK.03/20I6 as partially amended by FSA Regulation
No. 13/POJK.03/2020 regarding the Implementation of Risk Management in the Utilization of Information Technology by the Bank
still necessitates bank to obtain prior approval from FSA in the event the banks are establishing a data center or a data processing
outside Indonesia territory.
DEFINITIONS
Definition of personal data
Article 1 point (29) of Reg. 71 defines personal data as any data of an individual who can be identified and/or may be identified
individually or combined with other information both directly or indirectly through electronic or non-electronic systems.
Definition of sensitive personal data
Currently, there is no specific definition on sensitive personal data under the prevailing laws and regulations. However, Article 1
point (21) of the Minister of Communication and Informatics Regulation No. 5 of 2020 on Electronic System Provider in the
Private Sector as amended by the Minister of Communication and Informatics Regulation No. 10 of 2021 (“ ”)MOCI Reg. 5/2020
defines “Specific Personal Data” as data and information on health, biometric data, genetic data, sexual life/orientation, political
views, children’s data, personal financial data, and/or other data in accordance with the provisions of laws and regulations.
NATIONAL DATA PROTECTION AUTHORITY
There is no national data protection authority for data privacy in general in Indonesia.
For example, the FSA has the authority to act as the regulator of data privacy in the capital markets sector (since 31 December
2012) and with regard to banks’ customer data privacy issues (since 31 December 2013).
However, please note that Article 73 of Reg. 71 provides that a business enactor who operates electronic transactions may be
certified by a Competence Certification Body ( ) which may be a domestic Indonesian (but currentlyLembaga Sertifikasi Keandalan
no such domestic bodies exist) or foreign competence certification body.
REGISTRATION
Pursuant to Article 2 paragraph (2) of Reg. 71, an “Electronic System Provider” is either a:
Public Scope Electronic System Provider; or
Private Scope Electronic System Provider.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Indonesia 509 | | | www.dlapiperdataprotection.com
Further, Article 2 paragraph (3) of Reg. 71 states that “Public Scope Electronic System Provider” includes:
the Agency ; and[1]
an institution appointed by the Agency.
The term Public Scope Electronic System Provider does not include any regulatory or supervisory authority in the financial sector.
According to Article 2 paragraph (2) of MOCI Reg. 5/2020, the term “ ” includes:Private Scope Electronic System Provider
an Electronic System Provider that is regulated or supervised by a Ministry or Agency based on statutory provisions;
and/or
an Electronic System Provider that has a portal, site, or application in the network through the internet that is used for:
providing, managing, and/or operating the offering and/or trading of goods and/or services;
providing, managing, and/or operating financial transaction services;
delivering paid digital material or content through data network either by downloading through a portal or
website, delivery through electronic mail, or through other applications to the device of the electronic system
user;
providing, managing, and/or operating communication services, including but not limited to short messages, voice
calls, video calls, electronic mail, and network conversations in the form of digital platforms, networking services
and social media;
search engine services, services for providing electronic information in the form of text, sound, image, animation,
music, video, film and game or a combination of part and/or all of them; and/or
processing personal data for public service operational activities related to electronic transaction activities.
Article 6 of Reg. 71 regulates that Public Scope Electronic System Providers and Private Scope Electronic System Providers are
obliged to conduct registration. The registration shall be submitted through electronically integrated business licensing services in
accordance with the statutory provisions and it must be done before the electronic system is used by the electronic system user.
Article 2 paragraphs (1) and (3) of MOCI Reg. 5/2020 provide that all Private Electronic System Providers must conduct
registration and that this registration must be conducted before the electronic system is used by the electronic system user.
Article 4 paragraph (1) of MOCI Reg. 5/2020 further extends this obligation to Private Electronic System Providers who are
established under foreign laws or who are permanently domiciled in another country but:
provides services in the territory of Indonesia;
conducts business in Indonesia; and/or
the electronic system is used and/or offered in the territory of Indonesia.
Furthermore, Article 4 of Minister of Communications and Informatics Regulation No. 4 of 2016 regarding Management System of
Information Protection (“ ”) provides that there are 3 (three) categories of electronic systems such as: (i)MOCI Reg. 4/2016
strategic electronic system, which is an electronic system that causes serious impact to the public interest, public services, state
governance stability, or state defense and security; (ii) high electronic system, which is an electronic system that causes limited
impact to the interest of certain sector and/or territory; and (iii) low electronic system, which is any other electronic system aside
from strategic and high electronic systems.
Article 10 of MOCI Reg. 4/2016 provides that strategic and high electronic system providers (for public services) must obtain a
Certificate of Management System of Information Protection, while low electronic system providers (for public services) may
obtain Certificate of Management System of Information Protection.
[1] Being defined as a legislative, executive and judicative agencies at the central and regional level and other agencies that are
formed by the laws.
DATA PROTECTION OFFICERS
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Indonesia 510 | | | www.dlapiperdataprotection.com
1.
2.
3.
4.
5.
6.
There is no requirement in Indonesia for organizations to appoint a data protection officer.
COLLECTION & PROCESSING
Based on Article 14 (2) of Reg. 71, processing of personal data includes:
obtainment and collection;
processing and analyzing;
storing;
correction and updates;
displaying, announcing, transferring, distributing or disclosure; and/or
deletion or removal.
As the general rule to process personal data, EIT Law, Reg. 71 and the MOCI Reg. 20/2016 specifically regulate the obligation to
obtain “ ” (as defined below) from the owner of the personal data. Furthermore, Article 7 paragraph (1) of MOCI Reg.consent
20/2016 regulates that in obtaining and collecting personal data the Electronic System Provider must also be limited to the relevant
and suitable information in accordance to its purpose and must be conducted accurately. Article 12 paragraph (1) of MOCI Reg.
20/2016 also regulates that personal data can only be processed and analyzed in accordance with the needs of the Electronic
System Provider that have been stated clearly at the time the personal data is obtained and collected.
Article 14 paragraph (1) of Reg. 71 explains that Electronic System Provider shall also implement the principles of personal data
protection in the processing of personal data which includes:
personal data collection is conducted in a limited and specific manner, legally valid, fairly, with the knowledge and approval
of the personal data owner;
personal data processing is conducted in accordance with its purpose;
personal data processing is conducted by securing the rights of the personal data owner;
personal data processing is conducted accurately, completely, not misleading, up to date, can be accounted for, and by
taking into account to the purpose of processing of the personal data;
personal data processing is conducted by protecting the security of personal data from loss, misuse, unauthorized access
and disclosure, as well as the alteration or destruction of personal data;
personal data processing is conducted by notifying the purpose of collection, processing activities, and failure of personal
data protection; and
personal data processing is destroyed and/or deleted except if it is still in the retention period in accordance with the
necessity based on the laws and regulations.
Article 32 of MOCI Reg. 5/2020 explains that Private Scope Electronic System Providers shall grant access towards Electronic
Data to law enforcement apparatus for investigation, prosecution, or trial of criminal acts within the jurisdiction of the Republic of
Indonesia. Such criminal acts are criminal actions with the threat of imprisonment of a minimum of 2 (two) years. In the event the
Electronic System Provider does not comply to grant access to Electronic Data to law enforcement apparatus as mentioned in this
paragraph based on Article 45 paragraph (4) of MOCI Reg. 5/2020, the Minister of Communication and Informatics shall impose
administrative sanctions to Electronic System Providers in the Private Scope in the form of: (i) written warning; (ii) temporary
suspension; (iii) termination of access; and/or (iv) revocation of Electronic System Provider Registration Certificate.
TRANSFER
Article 26 paragraph (2) of Reg. 71 provides that in the implementation of the electronic system which is directed to electronic
information and/or electronic document that can be transferred (such as securities (valuable paper) and securities in electronic
form), such electronic information and/or electronic document must be unique and explain the possession and ownership.
The elucidation of Article 26 paragraph (2) of Reg. 71 further explains the above provision, as follows:
“Electronic information and/or electronic document must be unique” means it is the only one that represents a certain
value.
“Electronic information and/or electronic document must explain the possession” means the electronic system has
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Indonesia 511 | | | www.dlapiperdataprotection.com
control system or recording system over such electronic information and/or electronic document.
“Electronic information and/or electronic document must explain the ownership” means the electronic system has
technology control measures that guarantee that there is only one single authoritative copy and cannot be amended.
Article 21 (1) of MOCI Regulation states that displaying, announcing, transferring, broadcasting, and/or opening personal data
access in the electronic system can only be conducted:
by consent (being defined as a written agreement either manually and/or electronically being given by the owner of
personal data after obtaining a full explanation regarding the process for acquiring, collecting, processing, analyzing, storing,
displaying, announcing, disseminating, storing, dis-playing, announcing, sending, and disseminating including the
confidentiality or non-confidentiality of the personal data), except stipulated otherwise by laws and regulations; and
after its accuracy and suitability with the purpose of obtaining and collecting such personal data is verified.
Article 22 paragraph (1) of the MOCI Reg. 20/2016 states that transferring personal data that is managed by an electronic system
provider at the government and regional government institution including the public or private sector domiciled in the territory of
Indonesia to parties outside the territory of Indonesia must:
coordinate with the Minister of Communication and Informatics or the official or institution being authorized for such
purpose; and implement the laws and regulations regarding the transboundary exchange of personal data.
Article 22 paragraph (2) of the MOCI Reg. 20/2016 further explains that the implementation of the coordination as stipulated in
Article 22 paragraph (1) point (a) of MOCI Reg. 20/2016 being:
to report the implementation plan of personal data transfer, at least containing the clear name of the designated country,
recipient subject name, implementation date, and reason / purpose of the transfer;
to request for advocacy, if needed; and
to report the activities implementation result.
SECURITY
The obligations of Electronic System Providers are regulated under Reg. 71 and MOCI Reg. 20/2016, which amongst other things
shall:
guarantee the confidentiality of the source code of the software;
ensure agreements on minimum service level and information security towards the information technology services being
used as well as security and facility of internal communication security it implements;
protect and ensure the privacy and personal data protection of users;
ensure the appropriate lawful use and disclosure of the personal data;
provide the audit records on all provision of electronic systems activities;
have governance policies, operational work procedures, and audit mechanisms that are conducted periodically in the
electronic system;
for Private Scope Electronic System Providers who process and/or store personal data outside of Indonesia, must ensure
the supervisory effectiveness of the Ministry or Agency and law enforcement;
provide access to the electronic system for the purpose of supervision and law enforcement;
provide information in the electronic system based on legitimate request from investigators for certain crimes;
provide options to the personal data owner regarding the personal data that is processed so that the personal data can or
cannot be used and/or displayed by / at third party based on the consent as long as it is related with the purpose of
obtaining and collecting the personal data;
provide access or opportunity to personal data owner to change or renew his/her personal data without disturbing the
system management of the personal data, except regulated otherwise by laws and regulations;
delete the personal data if (i) it has reached the maximum period of storing the personal data (at the shortest 5 years or
based on the applicable regulations/ specific sectoral regulations); or (ii) by request from the personal data owner, except
regulated otherwise by the laws and regulations; and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Indonesia 512 | | | www.dlapiperdataprotection.com
provide contact person that is easy to be contacted by the personal data owner in relation to his / her personal data.
In the telecommunications sector, Article 19 paragraph (2) of Minister of Communication and Informatics Regulation No.
26/PER/M.KOMINFO/5/2007 regarding the Security and Utilization of Internet Protocol based Telecommunications Network (as
amended) (“ ”) also provides that the telecommunication service provider is responsible for data storage dueMOCI Reg. 26/2007
to its obligation to record its log file for at least 3 months.
BREACH NOTIFICATION
Article 14 paragraph (5) of Reg. 71 provides that the provider of an electronic system must provide written notification to
the owner of personal data, upon its failure to protect the personal data.
Article 24 paragraph (3) of Reg. 71 provides that the provider of an electronic system must make the utmost effort to
protect personal data and to immediately report any failure / serious system interference / disturbance in the first
opportunity to a law enforcement official and relevant Ministry or Agency.
Article 28 paragraph © of the MOCI Reg. 20/2016 provides that a written notice to the personal data owner is required if
there is a failure in protecting the secrecy of the personal data in the electronic system. The provisions of the notice are
as follows:
must provide reason or cause of the occurrence of the failure in protecting the secrecy of personal data;
can be conducted electronically, if the personal data owner has given consent for it, at the time of obtaining and
collecting his / her personal data;
must ensure that the notice has been received by the personal data owner if the failure contains potential loss to
the relevant personal data owner; and
a written notice is sent to the personal data owner no later than 14 (fourteen) days after the failure is discovered.
ENFORCEMENT
In Indonesia, the sanctions for breaches of data privacy are found under the relevant legislation and are essentially fines.
Imprisonment may be imposed in severe instances, such as in the event of intentional infringement.
The EIT Law and EIT Law Amendment provide criminal penalties ranging from:
IDR 600 million fine to IDR 800 million and 6 to 8 years of imprisonment for unlawful access;
IDR 800 million fine and/or 10 years of imprisonment for unlawful interception or wiretapping of a transmission; and/or
IDR 2 billion to IDR 5 billion and/or 8 to 10 years of imprisonment for alteration, addition, reduction, transmission,
tampering, deletion, moving or hiding electronic information or electronic records.
Failure to comply with Reg. 71 is subject to administrative sanctions (which do not eliminate any civil and criminal liability). These
administration sanctions are in the form of:
written warning;
administrative fines;
temporary dismissal;
termination of access; and/or
expulsion from the list of registrations (as required under the regulation).
Failure to comply with MOCI Reg. 20/2016 is subject to administrative sanctions in the form of:
verbal warning;
written warning;
temporary dismissal of activities; and/or
an announcement in the online website.
Banking Law
Under Article 47 of the Banking Law, any commissioner, director or employee of a bank or its affiliates who intentionally provides
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Indonesia 513 | | | www.dlapiperdataprotection.com
information which has to be kept secret may be sentenced to imprisonment for not less than 2 years but not more than 4 years,
and fined at least IDR 4 billion but not more than IDR 8 billion.
Capital Markets Law
Under Capital Markets Law, the FSA is empowered to impose the following administrative sanctions for breaches of the
provisions dealing with data protection). The sanctions include:
A written reminder;
A fine;
Limitations on business;
Suspension of business;
Revocation of business license;
Cancellation of approval; and/ or
Cancellation of registration.
ELECTRONIC MARKETING
EIT Law and Reg. 71 do not specifically address electronic marketing. Article 25 of the EIT Law provides that an Internet website,
amongst other things, is acknowledged and protected as an intellectual property (IP) and consequently, should fall under the ambit
of the relevant IP laws, which may in certain cases fall under the Indonesian Copyright Law.
Based on Article 33 paragraph (2) of Government Regulation No. 80 of 2019 regarding Trading through Electronic System (“GR
”) in conjunction with Article 17 paragraph (3) of Minister of Trade of Indonesia Regulation No. 50 of 2020 regarding80/2019
Business Licensing, Advertising, Development and Supervision of Business Actors in Trading through Electronic System (“MOT
”), electronic advertisements are required to comply with the provisions of laws and regulations in the field of50/2020
broadcasting, protection of privacy and personal data, protection of consumers, and does not conflict with the principles of fair
business competition.
The advertisement material as explained in Article 19 of MOT 50/2020 are as follows:
The electronic advertisement must contain appropriate materials that comply with the advertising code of ethics and the
provisions of laws and regulations.
The serving of electronic advertisement shall meet the following provisions:
does not deceive consumers regarding the quality, quantity, material, function/use, and price of goods and/or tariff
of services, as well as the timely receipt of goods and/or services;
does not have deceiving guarantees or warranties of the goods and/or services;
does not contain incorrect, erroneous, or false information regarding goods and/or services;
contain information regarding the risks of using the goods and/or services;
does not exploit an event and/or a person without permission from the authorities or approval from the person
concerned; and
provide a function to exit from electronic advertisement display which is indicated by a close sign, or skip, and
placed in a clear place so as to make it easier for consumers to close the electronic advertising concerned.
ONLINE PRIVACY
There are currently no laws and regulations concerning cookies and location data. However, Article 32 of EIT Law explains if the
data collected by cookies or location data is obtained by the unlawful access of another party’s electronic information, this is
subject to 6 to 8 years imprisonment and/or a fine of IDR 600 million to IDR 800 million.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Indonesia 514 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Arifin, Purba & Firmansyah Law Firm
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Erwin Purba
Partner
Arifin, Purba & Firmansyah Law Firm
erwin.purba@apf-lawfirm.co.id
Reanarya Alham
Associate
Arifin, Purba & Firmansyah Law Firm
reanarya.alham@apf-lawfirm.co.id
Rachdiansyah Noezar
Associate
Arifin, Purba & Firmansyah Law Firm
rachdiansyah@apf-lawfirm.co.id
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iran 515 | | | www.dlapiperdataprotection.com
IRAN
Last modified 23 May 2019
LAW
Iran has not enacted comprehensive data protection legislation. However, several laws and regulations incorporate data
protection provisions.
These include:
Sharia law principles
The Constitution of the Islamic Republic of Iran
Draft of the Bill on Protection of Data and Privacy in the Cyber Space 2018
Charter of Citizen’s Rights 2016
Cyber Crime Act 2011
The Law Concerning Protection of Consumers Rights 2010
The Law on Publishing and Access to Data 2010
Stock Market Law 2006
Electronic Commerce Law (ECL 2004)
The Law on Facilitation of Competition and Prevention of Monopoly 2004
The Law on respect for Legitimate Rights and Citizen Rights 2004
The Law on Establishment of the Ministry of Justice Official Experts 2003
Press Law 2001
Criminal Code 1997
Bylaw Concerning Official Translators 1996
Criminal Procedures Code 1994
Direct Taxation Act as amended 1988
The Law on Statistic Centre of Iran1976
Civil Liability Code 1960
The Law on Establishment of Notary Public Offices 1937
Iranian Bar Association Law 1936
DEFINITIONS
Definition of Personal Data
Not specifically defined.
Under the Law on Publishing and Access to Data, “personal data” means first and last name, home and work address, individual
habits, bank accounts information, etc.
The E-Commerce Law defines “private data” as a “data message” associated with a specific data subject. “Data message” means
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iran 516 | | | www.dlapiperdataprotection.com
any representation of facts, information, and concepts generated, sent, received, stored or processed by use of electronic, optical
or other information technology means.
Definition of Sensitive Personal Data
Not specifically defined.
Under the E-Commerce Law “sensitive personal data” has customarily been understood to mean data relating to family matters,
criminal records, tribal or ethnic origins, moral and religious beliefs, ethical characteristics, sexual habits and data regarding health,
physical or psychological status.
NATIONAL DATA PROTECTION AUTHORITY
There is no national data protection authority in Iran.
REGISTRATION
There is no registration requirement.
DATA PROTECTION OFFICERS
There is no requirement to appoint a data protection officer.
COLLECTION & PROCESSING
Data collection and processing, including publication, is subject to data subject consent, provided that the “data message” is
otherwise in accordance with Iranian law.
The collection and processing of personal “data messages” via electronic means is subject to the following conditions:
the purpose of collection and processing must be specified and clearly described
data may only be collected to the extent necessary to achieve its purported purpose
“data messages” must be correct and up-to-date
data subjects must be provided with access to computer files that contain “data messages” that concern the data subject
data subjects must be provided with the ability to delete or rectify “data messages,” in accordance with relevant
regulations (Article 59, E-Commerce Law)
Unless otherwise provided by law, the following is prohibited: searching, collecting, processing, using or disclosing personal data.
This prohibition also applies to other mail and telecommunications, including telephone communications, faxes, wireless and
private internet communications.
TRANSFER
The Charter of Citizen’s Rights prohibits personal data transfers without express data subject consent.
Under the ECL, third party and extraterritorial data transfers are subject to:
data subject consent
assurance that adequate security levels are in place to protect personal data in accordance with data subject rights and
freedoms
SECURITY
Generally, Iranian business are required to take reasonable measures to secure personal information. It is unclear whether such
measures must be physical, technical or organizational.
Nevertheless, somehow effective regulations apply to some businesses which are involved in sensitive information such as judges,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Iran 517 | | | www.dlapiperdataprotection.com
attorneys, doctors, hospitals and pharmacies.
Under the ECL, “secure information system” is defined as an information system that:
is reasonably protected against misuse or penetration
possesses a reasonable level of proper accessibility and administration
is reasonably designed and organized in accordance with the significance of the task
is in compliance with secure methods
A “secure method” is a method to authenticate “data message” date, correctness, origin and destination, as well as to detect
errors and modifications in its communication, content, or storage from a certain point. A secure message is generated using
algorithms or codes, identification words or numbers, encryption, acknowledgement call-back procedures or similar secure
techniques.
BREACH NOTIFICATION
There is no requirement to report data breaches to any individual or regulatory body.
ENFORCEMENT
Iranian courts generally enforce violations through statutorily defined remedies of the applicable law or regulation.
For example, the Cyber Crime Act provides that anyone who, by use of computer or telecommunication means, publicizes or
makes accessible another individuals film, pictures or sounds, or personal or family secrets without consent, and causes loss or
damage to the individual or violates that person’s dignity will be sentenced to imprisonment between 61 days and six months or
fined Rls 1,000,000 to 10,000,000.
ELECTRONIC MARKETING
There is no specific electronic marketing law in Iran. However, under the Charter of Citizen’s Rights, operators must obtain
addressee consent before sending any advertisement. Personal cell phones are considered as a private zone. Sending any unwanted
advertisements, or spam, is against the law.
ONLINE PRIVACY
There is no specific online privacy law in Iran.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dr. Hassan Sedigh
CEO
Sedigh & Associates Petroleum Consultants
T +98 21 22009042 – 3
sedigh@sa-petroleum.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 518 | | | www.dlapiperdataprotection.com
IRELAND
Last modified 22 January 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The Irish Data Protection Act 2018 (“ ”) came into force on 25 May 2018 in order to give further effect to theDP Act
GDPR in Ireland. The DP Act includes certain derogations, provides for the establishment of a new Data Protection
Commission, implements the Law Enforcement Directive and otherwise addresses procedural aspects of the enforcement
of data protection in Ireland.
The previous data protection legislation in Ireland, the Data Protection Acts 1988 to 2003, were largely repealed by the
DP Act, however those Acts continue to apply in relation to certain limited purposes including national security and
defence. Additionally, the previous legislation continues to apply in relation to complaints or infringements which occurred
prior to 25 May 2018 as well as to investigations commenced (but not completed) prior to that date.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 519 | | | www.dlapiperdataprotection.com
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
“Public authority” and “public body” are terms used in the GDPR. For the purposes of the DP Act, the definition of a “
” includes a company (and its subsidiaries) in which the majority of shares are held by or on behalf of apublic body
Minister of the Government.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The DP Act established the Data Protection Commission (“ “) to act as the supervisory authority for data protectionDPC
law in Ireland.
As well as supervising many domestic Irish businesses and organisations, the DPC also regulates many international and
multi-national companies under the GDPR’s main establishment (or “one-stop shop”) regulatory mechanism.
Ireland has currently appointed one Commissioner for Data Protection, however, the DP Act provide that the DPC can
consist of up to three members. In the event that there is more than one Commissioner, one of the Commissioners will
be appointed as a Chairperson. In May 2019, Helen Dixon was appointed as Commissioner for Data Protection for a
second five-year term.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 520 | | | www.dlapiperdataprotection.com
The contact details of the DPC (or ) are as follows:An Coimisiún um Chosaint Sonraí
Dublin office
21 Fitzwilliam Square South
Dublin 2, D02 RD28
Ireland
Regional office
Canal House
Station Road
Portarlington
R32 AP23 Co. Laois
Ireland
Website
www.dataprotection.ie
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
There is no general requirement in Ireland for controllers or processors to register their processing activities with the
DPC, however, a register of Data Protection Officers (DPOs) is maintained.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
https://www.dlapiperdataprotection.com
http://www.dataprotection.ie
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 521 | | | www.dlapiperdataprotection.com
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
Ireland has not yet extended the requirement to appoint a Data Protection Officer (“ ”). However, Section 34 of theDPO
DP Act does provide the Minister for Justice and Equality with the power to make regulations requiring controllers or
processors to designate a data protection officer.
In addition, the DP Act requires enhanced “suitable and specific” measures to be implemented in relation to certain
processing activities. In such cases, the designation of a DPO (in cases where it is not mandatory under GDPR) is listed in
section 36 of the DP Act as one example of such measures.
The DPC maintains a register of DPOs. No fee is charged for registering or updating the details of a DPO.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 522 | | | www.dlapiperdataprotection.com
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known as lawful bases or lawful grounds) under which personal data may be processed
are (Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 523 | | | www.dlapiperdataprotection.com
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 524 | | | www.dlapiperdataprotection.com
1.
2.
3.
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Part 3 of the DP Act sets out a range of national derogations as provided for in GDPR. Some of the notable provision
include the following.
Processing for purpose other than purpose for which data collected
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 525 | | | www.dlapiperdataprotection.com
Section 41 of the DP Act permits the processing of personal data or special categories of personal data for purposes
other than for which it was collected where necessary and proportionate for the purposes of: (a) preventing threats to
national security, defence or public security; (b) preventing detecting, investigating or prosecuting crime; (c) providing /
obtaining legal advice; (d) in connection with legal claims or prospective claims; or (e) establishing, exercising or defending
legal rights.
Special category data
Chapter 2 of Part 3 governs the processing of special category personal data. The DP Act permits the processing of
special category in certain circumstances including:
for employment / social welfare law purposes;
in relation to legal advice and proceedings;
in the course of electoral activities;
for the purposes of the administration of justice;
for certain insurance or pension purposes as well as in relation to the mortgaging of a property;
for reasons of substantial public interest;
by health care workers for medical, health and social care purposes;
in the interests of public health; and
for archiving, scientific, historic or statistical purposes.
In most such cases, the DP Act requires enhanced “suitable and specific” measures to be implemented in order to protect
the rights and freedoms of data subjects. The DPC has the right to request evidence of such measures, which can include:
explicit consent of the data subject;
limitations on access to the personal data;
strict time limits for erasure of the personal data;
specific training for those processing the personal data;
various enhanced technical and organisational measures such as encryption and pseudonymisation; and
processes and procedures for risk assessment purposes.
Health research regulations
The Data Protection Act 2018 (Section 36(2)) (Health Research) Regulations 2018 came into force in August 2018. The
Health Research Regulations introduced material changes to the rules governing how health research can be conducted in
Ireland and include:
a new statutory definition of “health research”;
a prescribed list of mandatory “suitable and specific measures” that must be adopted when processing personal
data for health research purposes, including a general requirement that “explicit consent” be obtained from data
subjects; and
a list of exceptional circumstances in which the explicit consent requirement is not required and a detailed
process to be followed in such cases.
Article 10 (criminal records) data
The DP Act expands the definition of Article 10 data to include personal data relating to the alleged commission of an
offence and any proceedings relating to such offence. Section 55 of the DP Act provides for Article 10 (i.e. criminal
records) data to be lawfully processed in a number of limited circumstances including:
where the data subject has given explicit consent;
where necessary and proportionate for the performance of a contract to which the data subject is party;
where necessary for providing / obtaining legal advice or in connection with legal claims or prospective claims;
where necessary for establishing, exercising or defending legal rights; or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 526 | | | www.dlapiperdataprotection.com
where necessary to prevent injury or damage or otherwise to protect vital interests.
The DP Act also requires enhanced “suitable and specific” measures to be taken to safeguard the rights and freedoms of
data subjects in all of the above circumstances.
Children & child’s consent to information society services
The DP Act defines a “child” as a person under 18 (this is relevant for example in assessing whether or not a data
protection impact assessment may be required).
The DP Act provides that the digital age of consent in Ireland is 16 years old. This means that in order for any personal
data pertaining to a child below the age of 16 to be processed in relation to an information society service, the consent of
a parent or guardian is also required. This provision must be reviewed by 2021. The DPC ran two public consultations in
2019 on the processing of children’s personal data and the rights of children as data subjects and published the draft
“Fundamentals for a Child-Oriented Approach to Data Processing” in December 2020 for a final round of consultation.
The DPC also has a statutory function, under section 32 of the DP Act, to encourage the drawing up of codes of conduct
for the protection of children.
Section 33 of the DP Act provides a specific right of erasure for children in connection with personal data collected in
relation to the offer of information society services.
The DP Act includes a prohibition on the processing of children’s personal data for the purposes of direct marketing,
profiling and micro-targeting. Section 30 has however not been commenced due to concerns that enacting it would place
Ireland in breach of EU law.
Automated decision making
Section 57 of the DP Act provides for a derogation whereby the right under GDPR not to be subject to a decision based
solely on automated decision-making including profiling where the decision is authorised or required under an enactment
and either (1) the effect of the decision is to grant a request of the data subject, or (2) adequate steps have been taken to
safeguard the legitimate interests of the data subject.
Rights of data subjects
Section 60 of the DP Act sets out the circumstances in which data subject rights may be restricted. These include where
such restrictions are necessary and proportionate:
to safeguard cabinet confidentiality, parliamentary privilege, national security, defence and the international
relations of the State;
for the prevention, detection, investigation and prosecution of criminal offences;
for the administration of taxes or duties;
for the establishment, exercise or defence of, a legal claim or prospective legal claim;
for the enforcement of civil law claims; or
for the purposes of estimating the amount of the liability of a controller on foot of a claim.
Section 60 also restricts data subject rights to the extent that the personal data relating to the data subject is an
expression or opinion by another person given in confidence, or on the understanding that it would be treated as
confidential. The person in receipt of the information must have a legitimate interest in receiving the information.
Data subject rights can also be restricted in relation to information which is subject to legal privilege.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 527 | | | www.dlapiperdataprotection.com
1.
2.
3.
4.
5.
6.
7.
1.
2.
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on the condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU-US Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
Section 37 of the DP Act provides the Minister for Justice and Equality with the power to make regulations restricting the
transfer of categories of personal data to a third country or an international organisation for important reasons of public
policy.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 528 | | | www.dlapiperdataprotection.com
2.
3.
4.
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
The DP Act requires enhanced “suitable and specific” measures to be implemented in relation to certain processing
activities. In such cases, enhanced data security measures (including logs / audit trails and encryption) are listed in section
36 of the DP Act as one example of such measures.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
Personal data breaches should be notified to the DPC which has published specific web forms and risk rating requirements
for personal data breach notifications.
Separate online breach reporting web forms are provided depending on whether the personal data breach is a national or
cross-border breach (in the latter case where the DPC acts as the lead supervisory authority under GDPR’s main
establishment (or “one-stop shop”) regulatory mechanism). A further specific form is provided for telecommunications
and internet service providers to report breaches under Commission Regulation (EU) No 611/2013.
Organisations reporting breaches are requested to provide a self-declared risk rating using the following thresholds:
Low Risk: The breach is unlikely to have an impact on individuals, or the impact is likely to be minimal.
Medium Risk: The breach may have an impact on individuals, but the impact is unlikely to be substantial.
High Risk: The breach may have a considerable impact on affected individuals.
Severe Risk: The breach may have a critical, extensive or dangerous impact on affected individuals.
ENFORCEMENT
Fines
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 529 | | | www.dlapiperdataprotection.com
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 530 | | | www.dlapiperdataprotection.com
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
Enforcement powers
Part 6 of the DP Act provides the DPC with a wide-range of powers to supervise organisations under its jurisdiction,
including:
Powers to handle complaints made (directly or indirectly) to it;
Powers to open and conduct “own-volition” inquiries;
Powers to issue decisions and exercise corrective powers (including administrative fines) provided for in GDPR;
Powers to issue a variety of corrective orders including warnings, reprimands, directions, suspensions or
restrictions;
Powers of entry, search, seizure and inspection, including the removal and retention of documents or records;
Powers to issue information and enforcement notices; and
Powers to require an organisation to carry out a report or audit.
Criminal offences
The DP Act provides for several offences which can result in prosecution, imprisonment, and criminal penalties being
imposed. Where offences are committed by an organisation, and such offence is committed with the consent, connivance
or negligence of a manager, director, secretary or other officer of the company, the individual will be personally liable for
the offence, as well as the organisation. The offences under the DP Act include:
an employer or potential employer forcing an individual to make a subject access request;
a processor disclosing personal data without the consent of the controller unless required to do so by law;
obtaining and disclosing, or selling personal data to a third party without the consent of the relevant controller or
processor of that data, or in relation to data which were unlawfully disclosed to them;
contravening the provisions relating to the processing of criminal convictions and offences data;
not cooperating with an authorised officer during an investigation, audit or inspection; and
failing to comply with an information or enforcement notice.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email
address which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the
legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied
upon, the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to
incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and
not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including
electronic marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in
Directive 2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be
replaced by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has
discarded its draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In
the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references
to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with
the GDPR standard for consent.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 531 | | | www.dlapiperdataprotection.com
The ePrivacy Regulations implement the anti-spam rules set out in Article 13 of the Privacy and Electronic
Communications Directive 2002/58/EC (as amended by the Citizens’ Rights Directive). These regulations came into effect on 1
July 2011. Electronic mail includes text messages (SMS), voice messages, sound messages, image messages, multimedia message
(MMS) and email messages.
Direct marketing emails can generally only be sent to users with their prior consent. A limited exemption is available for
direct marketing emails sent to existing customers promoting other products or services similar to those previously purchased by
that consumer (such emails can only be sent for 12 months, the customer must have been given the opportunity to object when
the details were collected and the product or service being marketed must be a product or service offered by the person with
the existing relationship with the customer). B2B direct marketing emails can generally be sent unless the recipient has informed
the sender that it does not consent to the receipt of such messages.
The identity of the sender must not be disguised or concealed and the recipient must be offered an opt-out.
Direct marketing calls (excluding automated calls) may be made to a landline provided the subscriber has not previously
objected to receiving such calls or noted his or her preference not to receive direct marketing calls in the National Directory
Database.
Direct marketing calls cannot be made to a mobile phone without prior consent.
One cannot send a direct marketing fax to an individual subscriber in the absence of prior consent. One can send such a fax to
a corporate subscriber unless that subscriber has previously instructed the sender that it does not wish to receive
such communications or has recorded a general opt-out to receiving such direct marketing faxes in the National Directory
Database.
Breach of these anti-spam rules is a criminal offence. On a summary prosecution (before a judge sitting alone) a maximum fine
of EUR 5,000 per message sent can be handed down. On conviction on indictment (before a judge and jury) a company may be
fined up to EUR 250,000 per message sent and an individual may be fined up to EUR 50,000 per message.
The GDPR applies to most electronic marketing activities, as these will typically involve some use of personal data (e.g. an
email address which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent,
or the legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47 of GDPR).
Where consent is relied upon, the strict standards for consent under the GDPR are to be noted, and marketing consent
forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent
box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied from
conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including
electronic marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in
Directive 2002/58/EC (“ ”), as transposed into the local laws of each Member State. The ePrivacyePrivacy Directive
Directive is to be replaced by a Regulation though there remains uncertainty at an EU level as to when this legislation will
be passed. In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be
replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the
ePrivacy Directive will be replaced with the GDPR standard for consent.
In Ireland, the European Communities (Electronic Communications Networks and Services) (Privacy and Electronic
Communications) Regulations 2011 (“ ”) implement the rules on electronic direct marketing setePrivacy Regulations
out in the ePrivacy Directive.
Direct marketing emails (which includes SMS and other text, voice, sound or image messages) can generally only be sent
to users with their prior (opt-in) consent.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 532 | | | www.dlapiperdataprotection.com
Two exemptions are available whereby emails can be sent on an opt-out basis:
Customer exception
Direct marketing emails may be sent on an opt-out basis to an existing customer promoting similar products or services
to those purchased by that customer. Such emails can only be sent for 12 months from the date of sale to the customer,
the customer must be given the opportunity to object both (1) when the details were collected, and (2) in each marketing
message. Moreover, the product or service being marketed must be a product or service offered by the person with the
existing relationship with the customer.
B2B exception
Business to business ( ) direct marketing emails can generally be sent unless the recipient has informed the sender”B2B”
that it does not consent to the receipt of such messages. To qualify for the B2B exception, an email address must
reasonably appear to the sender to be an email address used mainly by the recipient in the context of their commercial or
official activity and the marketing message must relate solely to that commercial or official activity.
ONLINE PRIVACY
Cookies
Consent is needed for the use of cookies unless the cookie is strictly necessary for the provision of a service to that subscriber
or user. The 2011 Regulations expressly refer to the use of browser settings as a means to obtain consent. There is no
express requirement for consent to be ‘prior’ to the use of a cookie. A user must be provided with ‘clear and comprehensive
information’ about the cookie (including, in particular, its purposes). This information must be prominently displayed and easily
accessible. The methods adopted for giving information and obtaining consent should be as ‘user friendly’ as possible. The DPC has
provided regulatory guidance on cookies and other tracking technologies which can be .accessed here
Location Data
One cannot process location data unless either:
such data has been made anonymous, or
user consent has been obtained.
A provider of electronic communication networks or services or associated facilities (ie a telco) must inform its users of:
the type of location data (other than traffic data) that will be processed
the purpose and duration of the processing, and
whether the data will be transmitted to a third party to provide a value added service. Users can withdraw their consent
to the processing of location data.
Cookies
The use of cookies (and similar technologies) is regulated by the GDPR as well as the ePrivacy Regulations.
The ePrivacy Regulations provide that a person shall not use an electronic communications network to store information,
or to gain access to information already stored in the terminal equipment of a subscriber or user, unless (1) the subscriber
or user has given his or her consent to that use, and (2) the subscriber or user has been provided with clear and
comprehensive information which (a) is both prominently displayed and easily accessible, and (b) includes, without
limitation, the purposes of the processing of the information.
The DPC’s guidance has confirmed that all cookies and tracking technology tools require consent, apart from two
https://www.dlapiperdataprotection.com
https://www.dataprotection.ie/en
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ireland 533 | | | www.dlapiperdataprotection.com
exceptions:
Communications exemption – a cookie whose sole purpose is to carry out the transmission of a
communication over a network; and
Strictly necessary exemption – this applies to a service delivered over the internet (e.g. websites or apps)
which have been explicitly requested by the user and the use of cookies is restricted to what is strictly necessary
to provide that service.
The DPC indicated that enforcement action on compliance with its regulatory guidance for controllers would commence
in October 2020.
Location data
The ePrivacy Regulations deal with the collection and use of location and traffic data by electronic communications
network and service providers. Location data other than traffic data relating to users or subscribers of undertakings can
only be processed if (1) such data are made anonymous, or (2) the consent of the users or subscribers has been obtained
to the extent and for the duration necessary for the provision of a value added service.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
John Magee
Partner
T +353 1 436 5450
john.magee@dlapiper.com
Nicole Fitzpatrick
Associate
T +35314876694
nicole.fitzpatrick@dlapiper.com
Eilis McDonald
Associate
T +353 1 436 5479
eilis.mcdonald@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Israel 534 | | | www.dlapiperdataprotection.com
ISRAEL
Last modified 23 December 2020
LAW
The laws that govern the right to privacy in Israel are the Basic Law: Human Dignity and Liberty, 5752 1992; the Protection of
Privacy Law, 5741-1981 and the regulations promulgated thereunder (the ‘PPL’) and the guidelines of the Israel Privacy Authority
(as defined below).
DEFINITIONS
Definition of personal data
Personal Data, as defined under the PPL, means: data regarding the personality, personal status, intimate affairs, state of health,
economic position, vocational qualifications, opinions and beliefs of a person.
Definition of sensitive personal data
Sensitive Data, as defined under the PPL, means: data on the personality, intimate affairs, state of health, economic position,
opinions and beliefs of a person; and other information if designated as such by the Minister of Justice with the approval of the
Constitution, Law and Justice Committee of the Knesset. No such determination has been made to date.1
Footnote 1: On July 23, 2020, the Israeli Ministry of Justice published a draft bill proposing to amend the PPL. The draft bill
proposes to revise defined terms under the PPL to align with the definition in the GDPR, such as definition of: personal data,
processing, owner of a database, holder of a database and other. In addition, the draft bill attempts to limit database registration
requirements to apply to certain categories of databases containing information of 100,000 data subject or more. The draft bill has
yet to be placed on the table of the Israel Knesset for its first reading.
NATIONAL DATA PROTECTION AUTHORITY
The Israel Privacy Authority (” “), established in September 2006, as determined by Israel’s Government decision no. 4660,IPA
dated 19.01.2006.
REGISTRATION
Subject to certain exceptions, database registration is required to the extent one of the following conditions are met :1
the database contains information in respect of more than 10,000 data subjects
the database contains sensitive information
the database includes information on persons, and the information was not provided by them, on their behalf or with their
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Israel 535 | | | www.dlapiperdataprotection.com
consent
the database belongs to a public entity, or
the database is used for directmarketing services.
A database is defined under the PPL as a collection of data, stored by magnetic or optic means and intended for computer
processing, consequently excluding noncomputerized collections.
In 2005, the Ministry of Justice set up a committee generally known as the ‘Schoffman Committee’ which recommended relaxing
registration of ‘ordinary’ databases and focusing on specific categories of information (e.g. medical data, criminal records or
information about a person’s political or religious beliefs). However, to date, the Schoffman Committee recommendations have
not crystallized into binding legislation.
On November 11, 2018, the IPA published in which the IPAOpinion: Is the Collection of Names and Emails Considered a “Database”?
ruled that a list of emails is deemed Personal Data.
Footnote 1: On July 23, 2020, the Israeli Ministry of Justice published a draft bill proposing to amend the PPL. The draft bill
proposes to revise defined terms under the PPL to align with the definition in the GDPR, such as definition of: personal data,
processing, owner of a database, holder of a database and other. In addition, the draft bill attempts to limit database registration
requirements to apply to certain categories of databases containing information of 100,000 data subject or more. The draft bill has
yet to be placed on the table of the Israel Knesset for its first reading.
DATA PROTECTION OFFICERS
Appointment of a Data Protection Officer is required by an entity meeting one of the following conditions:
a possessor of five databases that require registration
a public body as defined in Section 23 to the PPL, or
a bank, an insurance company or a company engaging in rating or evaluating credit.
Failure to nominate a Data Protection Officer when required to do so may result in criminal sanctions, including administrative
fines. The PPL does not require that the Data Protection Officer should be an Israeli citizen or resident.
In the event that a data protection officer was appointed pursuant to the PPL, the Israel Protection of Privacy Regulations (Data
Security), 5777-2017 (‘Data Security Regs’) require that the officer be directly subordinate to the database manager, or to the
manager of the entity that owns or holds the database. In addition, the Data Security Regs prohibit the officer from being in a
conflict of interest and require the officer to establish data security protocols and ongoing plans to review compliance with the
Data Security Regs. The officer must present findings from such review to the database manager and its supervisor.
COLLECTION & PROCESSING
The collection, processing or use of personal data is permitted subject to obtaining the informed consent of the data subjects.
Such consent should adhere to purpose, proportionality and transparency limitations. As such, consent should be obtained for
specific purposes of use, the processing and use of personal data should be proportionate to those purposes, and data subjects
should have the right to inspect and correct their personal information. The data subject’s consent must be reobtained for any
change in the purpose of use.
Any request for consent from a data subject to have his or her personal data stored and used within a database must be
accompanied by a notice indicating:
whether there is a legal requirement to provide the information
the purpose for which the information is requested
the recipients of the data, and
the purpose(s) of use of the data.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Israel 536 | | | www.dlapiperdataprotection.com
Retaining outsourcing services for the processing of personally identifiable information is subject to the IPA’s Guidelines on the
Use of Outsourcing Services of Processing Personal Information (Guideline 2/2011) dated 10 June 2012 (‘Outsourcing Guidelines’).
The Outsourcing Guidelines include, inter olio, factors to be taken into consideration when deciding to use outsourcing services,
specific provisions to be included within the data transfer agreement and data security requirements. Processing of personally
identifiable information in certain sectors is subject to additional outsourcing requirements.
Furthermore, the Outsourcing Guidelines also require compliance with the Data Security Regs.
Entities subject to separate outsourcing guidelines are for example entities supervised by the Commissioner of the Capital Market,
Insurance and Savings and entities supervised by the Banking Supervision Department of the Bank of Israel. On 10 September
2014, the Banking Supervision Department of the Bank of Israel issued draft guidelines regarding risk management in cloud
computing services used by Israeli banking corporations. Among other various restrictions, the draft guidelines set forth an
obligation on supervised entities to receive the approval of the Supervisor of Banks prior to using cloud computing services.
The general issue of privacy consideration in the use of surveillance cameras is governed by the IPA Use of Surveillance Cameras
and the Footage Obtained Therein Guidelines (no. 4/2012). In 2017, the IPA published Use of Surveillance Cameras in the
Workplace and in Working Relationships Guidelines (no. 5/17) specifically referring to the use of surveillance cameras in the
workplace. The guidelines state that the employer’s prerogative to use surveillance means in the workplace is subject to fulfillment
of principals such as legitimacy, transparency, proportionality, good faith and fairness. These principles apply also to businesses
required by law enforcement to place surveillance cameras on their premises. The guidelines specify the manner in which these
principles should be implemented, derivative requirements and possible implications.
On December 27, 2018. The Camera Installation Law for the Protection of Toddlers in Day Care Centers for Toddlers (5779 –
2018) was published and became effective on September 1, 2020. The said law provides that the operator of a daycare center for
toddlers is required (unless it falls under the exceptions under the law) to install cameras that will record during the time of which
the toddlers are present, without sound. It is forbidden to view the videos, to copy them, to transfer them to another person and
to make any use of them without a court order (except for the Police and the Ministry of Welfare officials for the purpose of
preventing harm to toddlers that are in the daycare). No real-time viewing of the footage is permitted, and it must be deleted
withing 30 days from the date of filming.
Furthermore, on March 29, 2020 its Recommendations: Privacy Aspects of Use of Drones which, recommends that the drone
user take into account alternatives that will not violate the privacy of others and to activate the drone proportionately in order to
minimize the scope of Personal Data collected, processed and stored. The period in which the Personal Data is retained should be
limited as much as possible and for as long as the Personal Data is stored on the drone, the drone is to be kept in a physically safe
location; ensure privacy by design and compliance with the PPA requirements in respect of privacy by notification, transparency
and deletion of data.
TRANSFER
The transfer of personal data abroad is subject to the Privacy Protection Regulations (Transfer of Data to Databases Abroad),
5761-2001, pursuant to which personal data may be transferred abroad only to the extent that:
the laws of the country to which the data is transferred ensure a level of protection, no lesser than the level of protection
of data provided for by Israeli Law; or
one of the following conditions is met:
the data subject has consented to the transfer;
the consent of the data subject cannot be obtained and the transfer is vital to the protection of his or her health
or physical wellbeing;
the data is transferred to a corporation under the control of the owner of the database from which the data is
transferred, provided that such corporation has guaranteed the protection of privacy after the transfer;
the data is transferred to an entity bound by an agreement with the database owner, to comply with the
conditions governing the use of the data as applicable under Israeli Laws, mutatis mutandis;
data was made available to the public or was opened for public inspection by legal authority;
transfer of data is vital to public safety or security;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Israel 537 | | | www.dlapiperdataprotection.com
the transfer of data is required by Israeli Law; or
data is transferred to a database in a country:
which is a party to the European Convention for the Protection of Individuals with Regard to Automatic
Processing of Sensitive Data; or
which receives data from Member States of the European Community, under the same terms of
acceptance , or1
in relation to which the Registrar of Databases announced, in an announcement published in the Official
Gazette (Reshumot), that it has an authority for the protection of privacy, after reaching an arrangement
for cooperation with that authority.
When transferring personal data abroad, the database owner is required to enter into a data transfer agreement with the data
recipient, pursuant to which the recipient undertakes to apply adequate measures to ensure the privacy of the data subjects and
guarantees that the data shall not be further transferred to any third party.
The foregoing data transfer agreement must also comply with additional restrictions, to the extent that the recipient provides
outsourcing services, as set forth in the Outsourcing Guidelines.
On January 31, 2011, the European Commission, on the basis of Article 25(6) of directive 95/46/EC, determined that the State of
Israel ensures an adequate level of protection with regard to automated processing of personal data.
Additionally, the transfer of databases is subject to the IPA Draft Guidelines No. 3/2017, which under certain circumstances, such
as database recipient having a conflict of interest, might require opt-in consents of data subjects as a condition to transferring
databases.
Footnote 1: Following the decision of the ECJ in Case C362/14 Maximillian Schrems v Data Protection Commissioner, IPA issued a
statement on October 15, 2015, according to which US safe harbour certified entities would not fall under the foregoing
condition, without derogating from all other conditions. Similarly following the decision of the CJEH in the Case C-311/18 Data
Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, IPA issued a statement on September 29, 2020,
according to which US privacy shield certified entities would not fall under the foregoing condition, without derogating from all
other conditions.
SECURITY
On March 21, 2017, the Constitution, Law, and Justice Committee of the Knesset approved the Data Security Regs, which have
come into effect on May 2018. The Data Security Regs further broaden the PPL by imposing additional requirements applicable to
database owners, holders and managers. Such additional requirements include, without limitation, having in place a broad list of
manuals and policies; various physical, environmental and logical security measures; and regular audit, inspection and training
obligations.
Furthermore, the Data Security Regs add to the Outsourcing Guidelines, which in effect would expand the requirements
applicable when outsourcing processing services, even prior to entering into a data transfer agreement between the database
owner and the data recipient and the requirements to be included therein.
Failure to comply with the Data Security Regs will constitute a breach of the PPL, which may expose a noncompliant entity to
criminal and civil liability, as well as to administrative fines.
In March and April of 2018, the IPA published guidelines regarding the applicability of the Data Security Regs to four types of
organizations: organizations certified to ISO/IEC 27001 standard, supervised entities subject to the directives of the Supervisor of
the Bank, management companies and insurers which are subject to the provisions of the Capital Market, Insurance and Savings
Authority and non-bank stock exchange members subject to stock exchange regulations. These types of organizations only need
to comply with selective provisions of the Data Security Regs.
On May 1, 2018, the IPA published the Privacy Protection Authority’s Policy for Reporting Severe Security Incidents. The directive
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Israel 538 | | | www.dlapiperdataprotection.com
sets forth the instructions on how to report a severe security incident. Failure to comply with the directive may lead to sanctions
such as advertising the violation or deletion of database registration.
BREACH NOTIFICATION
Pursuant to the Data Security Regs, data breach notifications are required depending on the severity of the breach and the
category of the database. Such notifications are generally to the IPA which may require further notification to the data subjects.
ENFORCEMENT
IPA has the authority and obligation to supervise compliance and enforce the provisions of the PPL and appoint inspectors to carry
out those activities.
Breach of the PPL may result in both civil and criminal sanctions, including administrative fines, 15 years of imprisonment, and the
right to receive statutory damages under civil proceedings without the need to prove actual damages.
The current draft bill for the 13th Amendment of the PPL provides IPA with the ability to conduct criminal investigations and to
impose monetary sanctions in the amount of up to NIS 3.2 million. The draft bill has passed its first reading, but has yet to pass the
approval of the Knesset Constitution, Law and Justice Committee; thereafter it would need to also pass the second and third
readings, in order to become a binding piece of legislation.
ELECTRONIC MARKETING
Unsolicited marketing is regulated under the Communications Law (Telecommunications and Broadcasting), 1982 (the ‘Anti Spam
Act’). The Anti Spam Act prohibits, subject to certain exceptions, advertising by means of automated dialing, fax or text messages
without first obtaining the recipient’s initial optin prior consent; all such communications also must contain an optout /
unsubscribe option.
Furthermore, the PPL governs the possession and management of databases intended for direct mailing service and imposes
restrictions in connection therewith, including a database registration requirement specifying the purpose of direct mailing and
specific recordkeeping requirements. Moreover, the IPA Guidelines No. 2/2017 impose additional requirements intended for
direct mailing services, which, inter alia, include specific notice obligations such as indication of database information, sources and
an initial opt-in requirement.
Additionally, the said IPA Guidelines govern direct marketing services which, , require specific opt-in consents and noticeinter alia
requirements.
ONLINE PRIVACY
The PPL does not specifically address online privacy, cookies and / or location data, all of which are governed by the general
restrictions detailed above, including the requirements imposed on processing databases and direct marketing and the consent,
purpose and proportionality restrictions.
The PPL governs information “about a person”, as such depending upon the circumstances at hand, any nonidentifiable and
anonymous information (which cannot be reidentified) may reasonably be interpreted as falling outside the confines of the PPL
limitations.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Israel 539 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Goldfarb Seligman & Co., Law Offices
www.goldfarb.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Sharon Aloni
Partner
Goldfarb Seligman & Co., Law Offices
T +972 (3) 608 9834
sharon.aloni@goldfarb.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Italy 540 | | | www.dlapiperdataprotection.com
ITALY
Last modified 14 January 2020
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on
25 May 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The Italian data protection law framework has been harmonized with the GDPR by means of the Legislative Decree
101/2018, that entered into force on 19 September 2018, and amended a number of provisions of the Legislative Decree
196/2003 (the ” “), as well as introduced some transitional provisions regulating the migration to the newPrivacy Code
regime.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Italy 541 | | | www.dlapiperdataprotection.com
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The Italian Privacy Code adopts the definitions provided by the GDPR.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (i.e.lead supervisory authority
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The Privacy Code provides that the supervisory authority in Italy is the Garante per la protezione dei dati personali (the ”
“). The Garante is composed of a Council and an Office. The Council is made up of four members, two electedGarante
by the Chamber of Deputies and two by the Senate of the Republic. The members are elected amongst those who apply
for this position in a selection procedure whose details are published on the websites of the Chamber of the Deputies,
the Senate of the Republic and the Garante. The members elect a Chairman, in the event of parity of votes. The Office is
made up of 162 members that are recruited by way of a public competition.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Italy 542 | | | www.dlapiperdataprotection.com
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
Under the GDPR and the Privacy Code there is no obligation to notify regulators of any data processing activity.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Italy 543 | | | www.dlapiperdataprotection.com
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organisations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Italy 544 | | | www.dlapiperdataprotection.com
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorised by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – i.e. use data collected for one purpose for a new purpose which
was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle
of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Italy 545 | | | www.dlapiperdataprotection.com
a.
b.
c.
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorised by EU or Member State law; or
the data subject has given their explicit (i.e. opt-in) consent.
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Italy 546 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Article 2- of the Privacy Code specifies that the processing of special category data necessary for the performance ofsexies
a task carried out in the public interest is allowed only insofar as the processing is provided for by European or domestic
legislation. This legislation must identify the reasons of public interest for which the processing is carried out, the types of
data that can be processed, the operations that can be performed and the appropriate and specific measures protecting
the fundamental rights and interests of the data subjects. In this context, the Privacy Code underlines that processing of
genetic data, biometric data or data concerning health shall comply with additional requirements to be identified by the
Garante by means of specific measures establishing further conditions in which the data processing is permitted.
With regard to personal data relating to criminal convictions and offences, Article 2-octies of the Privacy Code provides
that the processing can be carried out only if a specific legal provision authorizes the processing, also identifying the
applicable security measures, otherwise processing activities have to be carried out under the control of a public
authority.
With regard to individuals’ rights, Art. 2- of the Privacy Code provides several restrictions on data subjects’ rightsundecies
for reasons of justice. In particular, data subjects rights may be exercised within the limits established in the law and
regulations on the proceeding and procedures before the courts. The exercise of such rights may be delayed, limited or
excluded for as long as and to the extent that it is a necessary and proportionate measure, having regard to the
fundamental rights and legitimate interests of the data subject. Finally, the Privacy Code sets out data protection rights of
deceased persons. Indeed, the rights provided for in Articles 15 through 22 of the GDPR referring to personal data
concerning deceased persons may be exercised by those having an interest of their own, or act to protect the data
subject, as her/his delegate, or for family reasons worthy of protection. The exercise of such rights is not permitted when
provided for by the law or when, specifically limited to the offer of information society services, the data subject expressly
prohibited it in writing by way of a declaration sent to the data controller. The data subject may withdraw or modify such
declaration at any time.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU – U.S. Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Italy 547 | | | www.dlapiperdataprotection.com
f.
g.
a.
b.
c.
d.
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
The Privacy Code does not derogate from the GDPR in regard to transfers.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
The Privacy Code does not prescript further security measures that should be followed to protect personal data.
Nevertheless, genetic data, biometric data or data concerning health must be processed in accordance with the additional
safeguard measures issued by the Garante every two years (Article 2- ). Such safeguard measures take into accountsepties
the guidelines, recommendations and best practices published by the European Data Protection Board and best practices
on personal data processing; scientific and technological evolution in the sector covered by such measures; and the
interest of the free flow of personal data within the territory of the Union. Also, the Garante may issue codes of ethics
that set out security measures for the processing of personal for statistical and scientific research purposes.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Italy 548 | | | www.dlapiperdataprotection.com
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The Privacy Code does not set out additional rules on data breach notifications.
However, data breaches that require notification should be notified to the Garante by completing a form available at the
Garante website. The notification form, once completed with the required information, must be sent via certified e-mail to
the Garante and must be signed digitally (with qualified electronic signature/digital signature) or with handwritten
signature.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Italy 549 | | | www.dlapiperdataprotection.com
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
The Privacy Code provides that investigations and enforcement actions handled by the Garante.
ELECTRONIC MARKETING
The GDPR and the Privacy Code apply to most electronic marketing activities, as these will involve some use of personal data (e.g.
an email address which includes the recipient’s name). As further analyzed below, under Section 130 of the Privacy Code, the legal
basis for electronic marketing is consent. The strict standards for consent under the GDPR are to be noted, and marketing
consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent
box, or the signing of a statement, and merely the acceptance of terms and conditions, or consent implied from conduct, suchnot
as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Italy 550 | | | www.dlapiperdataprotection.com
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The Privacy Code (Section 130) does not prohibit the use of personal data for the purpose of electronic marketing, but it requires
the prior informed consent (opt-in) from the recipient of the communication. The use of automated calling or communications
systems without human intervention for the purposes of direct marketing or for sending advertising materials, or else for carrying
out market surveys or interactive business communication, as well as electronic communications performed by e-mail, facsimile,
MMS or SMS-type messages or other means shall only be allowed with the contracting party’s or user’s consent. Such consent
shall be recorded with reference to its date and the person giving it in order to be used as evidence of the consent.
Separate consents shall be required for the registration to a website and the opt-in to the delivery of marketing communications,
however the data subjects may be required to provide a unique marketing consent covering the different marketing practices (e.g.
marketing via SMS, email, telephone, market surveys, etc.) performed through the collected data, provided that such practices are
outlined in the information notice provided to data subjects.
An additional separate consent shall be required for the transfer of collected personal data to third parties for marketing
purposes. Said third party shall also be identified at least on the basis of its category of operation and provide an information
notice to data subjects before the delivery of marketing communications.
Where a data controller uses, for direct marketing of his own products or services, electronic contact details for electronic mail
supplied by a data subject in the context of the sale of a product or service, said data controller may fail to request the data
subject’s consent, on condition that the services are similar to those that have been the subject of the sale and the data subject,
after being adequately informed, does not object to said use either initially or in connection with subsequent communications. The
data subject shall be informed of the possibility to object to the processing at any time, using simple means and free of charge,
both at the time of collecting the data and when sending any communications for the purposes here referred.
Electronic marketing communications shall clearly identify the sender and provide to the recipient all necessary information in
order for him/her to eventually refuse the delivery of the direct marketing material ( ).opt-out
The possibility for the recipient to opt-out from marketing communication services must be guaranteed both during the first
contact with the recipient and during any following communications.
Marketing communications by way of non-automated telephone calls are permitted provided that either:
the data subject has given his prior consent, or
the number of the data subject is included in the telephone directory and (s)he has not entered in a public opt-out
register (” “) and opted out from being contacted for marketing purposes.Registro delle Opposizioni
Law 11 January 2018, no. 5 provides stringent rules on telemarketing, including, amongst others, the withdrawal from all consents
previously given in case of enrolment in the , save for consents provided based on contractualRegistro delle Opposizioni
arrangements in place or expired less than 30 days before the enrolment, and the prohibition to communicate, transfer or
disseminate personal data related to data subjects registered in the for advertising or sales purposes orRegistro delle Opposizioni
for the purposes of carrying out market research or commercial communications not related to the activities, products or
services offered by the data controller.
The above mentioned privacy provisions apply also to communications sent through private messages on social networks and
through Voip. On the contrary, should the data subject be a follower of a social network page, it may be implied that the data
subject has consented to the delivery of marketing communications of the page. Marketing messages concerning a given brand,
product or service as sent by the company managing the relevant social network page may be considered to be lawful if it can be
inferred unambiguously from the context or the operational arrangements of the relevant social network, also based on the
information provided, that the recipient did intend in this manner to also signify his/her intention to consent to receiving
marketing messages from the given company. However the delivery of marketing communications shall stop when the data subject
unregisters from the page.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Italy 551 | | | www.dlapiperdataprotection.com
The Privacy Code provisions relating to marketing and commercial communications make reference to the ‘contracting party’s and
user’s consent’ rather than to the ‘data subject’s consent’, referring both to individuals and companies.
ONLINE PRIVACY
The Privacy Code regulates the collection and processing of traffic data and location data by the provider of a public
communications network or publicly available electronic communications service and the use of cookies.
According to Section 123 of the Privacy Code, traffic data shall be erased or made anonymous when they are no longer necessary
for the purpose of transmitting the electronic communication. However traffic data can be retained for a period not longer than 6
months for billing and interconnection payments purposes or, with the prior consent of the contracting party or user (which may
be withdrawn at any time), for marketing electronic communications services or for the provision of value added services.
According to Section 126 of the Privacy Code, location data may only be processed if made anonymous or if the subscriber or
user has been properly informed and (s)he has given her/ his prior consent (which can be withdrawn at any time).
According to Section 122 of the Privacy Code (which reflects recital 66 of the E-Cookies Directive 2009/136/EC and the amended
Section 5, par. 3 of the Directive 2002/58/EC – as amended by Directive 2009/136/EC) the storing of information in the
contracting party’s or user’s computer is only allowed if said contracting party or user has been properly informed and (s)he has
given her/his consent.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Giulio Coraggio
Partner
T +39 02 80 6181
giulio.coraggio@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Japan 552 | | | www.dlapiperdataprotection.com
JAPAN
Last modified 1 January 2022
LAW
The Act on the Protection of Personal Information (“APPI”) regulates privacy protection issues in Japan and the Personal
Information Protection Commission (“PPC”), a central agency acts as a supervisory governmental organization on issues of privacy
protection.
The APPI was originally enacted in 2003 but was amended and the amendments came into force on 30 May 2017. On 5 June 2020,
the Japanese Diet approved a bill to further amend the APPI (“Amended APPI”). The Amended APPI will come into force on April
1, 2022.
DEFINITIONS
Definition of Personal Information
Personal Information is information about a living individual which can identify a specific individual by name, date of birth or other
description contained in such information. Personal Information includes information which enables one to identify a specific
individual with easy reference to other information. According to the guidelines issued by the PPC, “easy reference to other
information” means that a business operator can easily reference other information by a method taken in the ordinary course of
business. If a business operator needs to make an inquiry of another business operator to obtain the “other information” and it is
difficult for the business operator to do so, such a situation would not be considered an “easy reference to other information”.
Personal Information includes any “Personal Identifier Code”. A Personal Identifier Code refers to certain types of data specified
under a relevant cabinet order of the APPI, and includes biometric data which can identify a specific individual, or data in the form
of a certain code uniquely assigned to an individual. Typical examples of such code would be passport numbers or driver’s license
numbers.
Definition of Sensitive Personal Information
Sensitive information includes information about a person’s race, creed, social status, medical history, criminal record, any crimes a
person has been a victim of, and any other information that might cause the person to be discriminated against. Obtaining
sensitive information generally requires consent from the data subject. Additionally, the “opt out” option (discussed below) is not
available for third party transfer for sensitive information-prior consent is basically required from the data subject to transfer the
sensitive information to a third party.
Definition of Anonymously Processed Information
“Anonymously Processed Information” refers to any information about individuals from which all personal information (i.e., the
information that can identify a specific individual, including any sensitive information) has been removed and such removed
personal information cannot be restoredby taking appropriate measures specified in the enforcement rules and the relevant PPC
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Japan 553 | | | www.dlapiperdataprotection.com
guidelines. As noted above, Personal Information includes personal identifier codes, so these must also be removed before
information is considered anonymized.
If a business operator has sufficiently anonymized the information, it can be used beyond the purpose of use notified to the data
subjects or disclosed to third parties without requiring the consent of the data subjects. However, care must be taken in
anonymizing the information before disclosure; a failure to completely sanitize the information could result in the disclosure of
Personal Information. Additionally, before disclosing the Anonymously Processed Information to a third party, a business operator
must publicly state (likely in its privacy policy) the items of information (for example, gender, birth year and purchase history)
included among the Anonymously Processed Information, and the means by which it shares the Anonymously Processed
Information.
Definition of Pseudonymously Processed Information
Given the high hurdle of utilizing Anonymously Processed Information, such information has been less utilized than originally
expected. The Amended APPI introduces the concept of “Pseudonymously Processed Information”, which is the information that
is processed so that such information is (i) not able to be used to identify a specific individual; but (ii) is able to be de-crypted by
referencing other information. For example, Pseudonymously Processed Information is information in which names, addresses, and
other similar such information are replaced with a random string of characters. Unlike normal Personal Information, a business
operator can change the utilization purpose of Pseudonymously Processed Information at its own discretion (i.e., a business
operator does not need to obtain consents from data subjects to change the utilization purpose). It is expected that business
operators may utilize Pseudonymously Processed Information for internal data analytics purposes.
Definition of Personally Referable Information
The Amended APPI defines information which is related to personal matters, but that does not fall under the definition of Personal
Information as “Personally Referable Information”. The definition of Personally Referable Information is quite vague, but based on
the guidelines issued by the PPC, it includes, among other things, a web browsing history collected through the terminal identifier
such as cookie information, a person’s age, gender or family makeup that are linked to his/her email address, a person’s purchase
history of goods and/or services, a person’s location data, or a person’s area of interest. The handling of Personally Referable
Information is not regulated as Personal Information, but prior consent from data subjects would be required to transfer
Personally Referable Information in certain circumstances as discussed below.
NATIONAL DATA PROTECTION AUTHORITY
The PPC has been tasked with providing many of the details necessary to interpret and enforce the APPI. The PPC issues
guidelines for general rules for handling Personal Information, offshore transfer, confirmation and record requirements upon
provision of Personal Information to third parties and creation and handling Anonymously or Pseudonymously Processed
Information. The PPC is neutral and independent, and it has the power to enforce the APPI. However, it will only have the right to
perform audits and issue cease and desist orders; it will not have the power to impose administrative fines and criminal penalties.
Personal Information Protection Commission
Kasumigaseki Common Gate West Tower 32nd Floor, 3-2-1, Kasumigaseki, Chiyoda-ku, Tokyo, 100-0013, Japan
TEL: +81-(0)3-6457-9680
www.ppc.go.jp
REGISTRATION
Japan does not have a central registration system.
DATA PROTECTION OFFICERS
There is no specific legal requirement to appoint a data protection officer. However, some guidelines provide that specific
directors or employees should be assigned to control Personal Information (eg Chief Privacy Officer).
https://www.dlapiperdataprotection.com
https://www.ppc.go.jp/en/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Japan 554 | | | www.dlapiperdataprotection.com
COLLECTION & PROCESSING
Specifying the Purpose of Use
When handling Personal Information, a business operator must specify to the fullest extent possible the purpose of use of the
Personal Information (“Purpose of Use”). Once a business operator has specified the Purpose of Use, it must not then make any
changes to the said purpose which could reasonably be considered to be beyond the scope of what is duly related to the original
Purpose of Use. In addition, when handling Personal Information, a business operator shall not handle the information beyond the
scope that is necessary for the achievement of the Purpose of Use without a prior consent of the individual. In other words, the
use of the information must be consistent with the stated Purpose of Use.
Public Announcement of the Purpose of Use
The Purpose of Use must be made known to the data subjects when Personal Information is collected or promptly thereafter and
this can be made by a public announcement (such as posting the purpose on the business operator’s website). When Personal
Information is obtained by way of a written contract or other document (including a record made in an electronic or magnetic
format, or any other method not recognizable to human senses), the business operator must expressly state the Purpose of Use
prior to the collection.
A business operator must ‘publicly announce or ‘expressly show the Purpose of Use in a reasonable and appropriate way.
According to the guidelines issued by the PPC, the appropriate method for a website to publicly announce the Purpose of Use of
information collected, is a one click access on the homepage so that the data subject can easily find the Purpose of Use before
submitting the Personal Information.
TRANSFER
Disclosing/Sharing Personal Information
Currently, Personal Data (meaning Personal Information stored in a database) may not be disclosed to a third party without the
prior consent of the individual, unless the business operator handling the Personal Information adopts the opt-out method,
provides an advance notice of joint use to data subjects, in the case of merger/business transfer or entrusting the handling of
Personal Information to third party service providers.
Even disclosing the Personal Information within group companies is considered disclosing the Personal Information to a third party
and consent must be obtained, unless it meets the requirements of joint use. The APPI also has permitted the “opt out” method,
whereby a business operator can as a default disclose Personal Information to third parties, unless individuals opt out of allowing
the business operator to do so. The Amended APPI stipulates that Personal Information that has been transferred from others
through the opt out measure or that has obtained by illegal manners, and Sensitive Personal Information cannot be transferred
through the opt out measure. The APPI requires a business operator to preemptively disclose to the PPC, and the public or to the
data subject of certain items listed below concerning opt out.
the name, address and representative person of the business operator;
the fact that the purpose of use includes the provision of such information to third parties;
the nature of the Personal Information being provided to third parties;
the method by which Personal Information has been obtained;
the method by which Personal Information will be provided to third parties;
the matter that provision of such information to third parties will be stopped upon the request by the data subject;
the method for an individual to submit an opt out request to the business operator;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Japan 555 | | | www.dlapiperdataprotection.com
the method to update Personal Information which has been provided to their parties; and
the schedule date of provision of Personal Information.
The APPI does not provide any examples of how best to obtain consent from individuals before sharing Personal Information.
Generally, written consent should be obtained whenever possible. When obtaining consents, it would be prudent to clearly
disclose to the data subject the identity of the third party to whom the Personal Information will be disclosed, the contents of the
Personal Information and how the third party will use the provided Personal Information.
The guidelines issued by the PPC provide the following examples as appropriate methods of obtaining the consent for disclosing
Personal Information from the data subject:
receipt of confirmation of the oral or written consent (including a record created by electronically or magnetically
methods or any other method not recognizable to human senses) from data subject
receipt of a consent email from data subjects
the data subject’s check of the confirmation box concerning the consent
the data subject’s click of a button on the website concerning the consent, and
the data subject’s audio input, or touch of a touch panel concerning the consents
If Personal Information is to be used jointly, the business operator could, prior to the joint use, notify the data subjects of or
publish the following:
the fact that the Personal Information will be used jointly
the item of the Personal Information to be disclosed
the scope of the joint users
the purpose for which the Personal Information will be used by them, and
the name, address and representative person of the business operator responsible for the management of the Personal
Information.
Transfer of Personally Referable Information
The Amended APPI stipulates that prior consent from data subjects is necessary if Personally Referable Information is transferred
to a third party and the receiving party can identify a specific individual by way of referencing such Personally Referable
Information with any information that the receiving party already has in its possession. In general, such consents are to be obtained
by the receiving party and therefore, the transferor needs to, in advance to transferring Personally Referable Information to a third
party, confirm if the receiving party has already obtained consents. That being said, it is possible that the transferor collects data
subjects’ consents on behalf of the receiving party.
Cross-border Transfer
Under the APPI, in addition to the general requirements for third party transfer, prior consent of data subjects specifying the
receiving country is required for transfers to third parties in foreign countries unless the foreign country is white-listed under the
enforcement rules of the APPI or the third party receiving Personal Information has established similarly adequate standards for
privacy protection as specified in the enforcement rules of the APPI. Currently, UK and EU countries are specified as white-listed
countries based on the adequacy decision on January 23, 2019.
According to the enforcement rules of the APPI, “similarly adequate standards” means that the practices of the business operator
handling the Personal Information are at least equal with the requirements for protection of Personal Information under the APPI
or that the business operator has obtained recognition based on international frameworks concerning the handling of Personal
Information.
According to the guidelines for offshore transfer, one of the examples of an acceptable international framework is the APEC CBPR
system. With regard to data subject’s consents to transfer their Personal Information to foreign countries, the Amended APPI
stipulates that the business operator shall provide the following information to the data subject when obtaining consents
therefrom: (i) name of the country where the receiving party resides, (ii) data protection law system in the country and (iii) the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Japan 556 | | | www.dlapiperdataprotection.com
data protection measures that the receiving party implements. In addition, the business operator needs to take necessary
measures to ensure that the receiving party of such Personal Information continuously takes proper measures to process the
Personal Information in a manners equivalent to the requirements of the APPI.
SECURITY
The APPI requires that business operators prevent the leakage of Personal Information. The APPI does not set forth specific steps
that must be taken. The PPC guidelines suggest recommended steps that business operators should take to ensure that Personal
Information is secure. These necessary and appropriate measures generally include “Systematic Security Control Measures”,
“Human Security Control Measures”, “Physical Security Measures” and “Technical Security Control Measures”.
Guidelines often contain several specific steps or examples that entities subject to the guidelines must take with respect to each of
the security control measures such as developing internal guidelines pertaining to security measures, executing non-disclosure
contracts with employees who have access to Personal Information, protecting machines and devices and developing a framework
to respond to instances of leakage.
BREACH NOTIFICATION
Under the Amended APPI, business operators shall report data breach incidents to the PPC and affected data subjects if the data
breach incidents could harm the rights and interests of individuals. The PPC set the concrete threshold for reporting obligations
and in the case of any of the below (i)-(iv), the business operator needs to report it to the PPC and notify the affected individuals:
(i) Sensitive Personal Information is or likely to have been leaked, (ii) Personal Information that would cause financial damage by
unauthorized use is or likely to have been leaked, (iii) data leakage by wrongful purpose is or likely to have been occurred, and (iv)
data leakage incident that involves more than 1,000 data subjects is or likely to have been occurred.
In addition, the PPC guidelines suggest that business operators (i) make necessary investigations and take any necessary preventive
measures, and/or (ii) make public the nature of the breach and steps taken to rectify the problem, if appropriate and necessary.
According to the PPC guidelines, if a factual situation demonstrates that the Personal Information which has been disclosed was
immediately collected before being seen by any third party or not actually disclosed, (such as the case where the company has
encrypted the data or otherwise secured the data in such a way that it has become useless to third parties being in possession of
such data), the notice to the PPC or any other relevant authority is not necessary.
ENFORCEMENT
If the PPC finds any violation or potential violation of the APPI, the PPC may request the business operator to submit a report,
conduct on-site inspection and request or order the business operator to take remedial actions. If a business operator does not
submit the report and materials, or reports false information they will be subject to a fine of up to JPY 500,000.
If a business operator does not follow an order from the PPC they will be subject to a penalty of imprisonment for up to one year
or a fine of up to JPY 1,000,000. If the party that fails to follow such order is an entity, the parties subject to this penalty will be
the relevant officers, representatives, or managers responsible for the disclosure and the entity is subject to the fine of up to JPY
100,000,000.
An unauthorized disclosure of Personal Information, for the benefit of the disclosing party or any third party, will be subject to a
penalty of imprisonment for up to one year or a fine of up to JPY 500,000. If the party that discloses Personal Information is an
entity, the parties subject to this penalty will be the relevant officers, representatives, or managers responsible for the disclosure
and the entity is subject to the fine of up to JPY 100,000,000.
ELECTRONIC MARKETING
The Act on Specified Commercial Transactions (“ASCT”) and the Act on the Regulation of Transmission of Specified Electronic
Mail (“Anti-Spam Act”) regulate the sending of unsolicited electronic commercial communications.
Under the ASCT, which focuses on internet-order services, a seller is prohibited from sending email or fax advertisements to
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Japan 557 | | | www.dlapiperdataprotection.com
consumers unless they provide a prior request or consent (ie an opt-in requirement). The seller is also required to retain the
records that show consumers’ requests or consents to receive email or fax advertisements for 3 years for email advertisements
and 1 year for fax advertisements after the last transmission date of an email or fax advertisement to the consumer.
If a seller has breached any of these obligations regarding email advertisements, such seller will be potentially subject to fine of up
to JPY 1,000,000.
Under the Anti-Spam Act, which broadly covers commercial emails (eg an invitation email from a social network service), there
are several regulations on sending email advertisements as follows:
the sender must retain records evidencing there was a request or consent to receive emails at least for 1 month after the
last date the seller sent an email to the recipient
for-profit entities or individuals engaged in business sending any email to advertise their own or another’s business must
obtain a request or consent to receive emails from intended recipients unless the recipient falls under certain exceptions
(eg there is a continuous transaction relationship between a sender and a recipient) in the Anti-Spam Act
an email is required to include a sender’s email address or a URL so that recipients can send opt-out notices to the
sender, and
senders must not send emails to randomly generated email addresses (with the hope of hitting an actual email address) for
the purpose of sending emails to a large number of recipients.
The relevant ministry may order a sender to improve the manner of email distribution if the sender violates the requirements
noted above. If the sender violates an order issued by the ministry (other than one related to the retention obligation), the
sender is subject to imprisonment for up to 1 year or a fine of up to JPY 1,000,000. In addition, the entity will be subject to fine of
up to JPY 30,000,000 if an officer or an employee of the entity commits any violation mentioned above. If the sender violates an
order issued by the minister with respect to the retention obligation, the sender will be potentially subject to fine of up to JPY
1,000,000. In addition, the entity will be subject to fine of up to JPY 1,000,000 if an officer or an employee of the entity commits
the violation mentioned above.
ONLINE PRIVACY
There is no law in Japan that specifically addresses cookies, but it is generally considered that cookies fall under the definition of
the Personally Referable Information and thus the transfer of such data would be regulated by the APPI in certain circumstances. In
addition, if the information obtained through cookies may identify a certain individual in conjunction with other easily-referenced
information (eg member registration) and it is utilized (eg for marketing purposes), such Purpose of Use of information obtained
through the use of cookies must be disclosed under the .APPI
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Tomomi Fujikouge
Of Counsel
T +81 3 4550 2817
tomomi.fujikouge@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Japan 558 | | | www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jersey 559 | | | www.dlapiperdataprotection.com
JERSEY
Last modified 21 February 2022
LAW
The Data Protection (Jersey) Law, 2018 (DPJL) and the Data Protection Authority (Jersey) Law, 2018 (DPAJL) came into force on
May 25, 2018. These laws superseded the Data Protection (Jersey) Law 2005, which had been held to be adequate by the
European Commission for the purposes of the European Data Protection Directive (Directive 95/46/EC) (see Commission
Decision 2008/393/EC). This decision continues to apply pending a review of Jersey’s adequacy (to be conducted under Article 45
of the European General Data Protection Regulation (GDPR)), the outcome of which was expected in 2021 but is now expected
in early 2022.
The DPJL and DPAJL provide a broadly equivalent regime to that under the GDPR.
DEFINITIONS
The DPJL defines ‘data’ as information that:
Is processed by means of equipment operating automatically in response to instructions given for that purpose or is
recorded with the intention that it should be processed by means of such equipment
Is recorded as part of a filing system or with the intention that it should form part of a filing system, or
Is recorded information held by certain public authorities
The DPJL defines ‘personal data’ as being any data relating to a data subject.
A ‘data subject’ is defined in the DPJL as an identified or identifiable, natural living person who can be identified, directly or
indirectly, by reference to (but not limited to) an identifier such as:
A name, an identification number or location data
An online identifier (which may include an IP address, location data or any unique number or code issued to the individual
by a public authority), or
One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the
person
Enhanced levels of protection in the DPJL and DPAJL are provided for ‘special category’ personal data.
‘Special category personal data’ is defined under the DPJL as personal :
Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership
Genetic or biometric data that is processed for the purpose of uniquely identifying a natural person
Data concerning health
Data concerning a natural person’s sex life or sexual orientation, or
Data relating to a natural person’s criminal record or alleged criminal activity
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jersey 560 | | | www.dlapiperdataprotection.com
Personal data may be processed by either a ‘ or a ‘ . The controller is the decision maker, the person who “controller’ processor’
(Article 1(1) DPJL). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data”
, acting on the instructions of the controller. In contrast to the previous law, theprocesses personal data on behalf of the controller”
DPJL imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the
processor.
NATIONAL DATA PROTECTION AUTHORITY
The DPAJL created a Data Protection Authority (the Authority) to oversee the DPJL. Save in respect of certain matters (in
particular the issuing of a formal public statement in relation to data protection issues or the issuing of an administrative fine), its
functions are delegated to the Information Commissioner.
REGISTRATION
Registration and fees are governed by the Data Protection (Registration and Charges) (Jersey) Regulations 2018 (as amended)
(the ” “) under which annual processing fees are charged, the value of which are based on:Regulations
the number of full-time employees;
the level of past-year revenue;
whether the relevant entity is a regulated financial services provider (or otherwise subject to the Money Laundering
(Jersey) Order 2008);
if the entity processes special category data; and
if the entity is administered by a trust company business or fund services business, and if so, the name of the
administrator.
The maximum fee payable on the basis of the above is £1,600. However, the majority of data controllers and processors pay £70.
Entities that are administered by a regulated trust company business or fund services business are required to pay a fixed annual
charge of £50. No fees are payable where the entity does not process data (as they would not be considered data controllers or
processors).
All controllers and processors are required to renew their registration annually. It should be noted that, external accountability to
the Information Commissioner via registration or notification has in many ways superseded in the DPAJL and DPJL by rigorous
demands for internal accountability.
In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing
activities (Article 14(3) DPJL), which must contain specific details about personal data processing carried out within an
organization and must be provided to supervisory authorities on request.
DATA PROTECTION OFFICERS
Data controllers and processors are required (Article 24 DPJL) to appoint a data protection officer if:
Processing is carried out by a public authority (with the exception of courts acting in their judicial capacity)
The core activities of the controller or the processor consist of processing operations that, by virtue of their nature,
scope or purposes, require regular and systematic monitoring of data subjects on a large scale
The core activities of the controller or the processor consist of processing special category data on a large scale, or
It is otherwise required by law
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 24(3) DPJL). However, larger corporate groups may find it difficult in practice to operate with a single data protection
officer. The data protection officer must be easily accessible to:
All data subjects
The Information Commissioner, and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jersey 561 | | | www.dlapiperdataprotection.com
The controller or processor who appointed the officer, along with the controller’s or processor’s employees that carry
out data processing
Data protection officers (DPOs) must have expert knowledge (Article 24(6) DPJL) of data protection law and practices, though it
is possible to outsource the DPO role to a service provider (Article 24(7) DPJL).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 25(1) DPJL), and the DPO must directly report to the highest management level of theto the protection of personal data
controller or processor (Article 25(2) DPJL).
In addition, controllers and processers must:
Ensure that the data protection officer operates independently and does not receive any instructions regarding the
performance of those duties, other than to perform them to the best of the officer’s ability and in a professional and
competent manner (Article 25(1)(c) DPJL), and
Not dismiss or penalize the data protection officer for performing his or her duties other than for failing to perform them
to the best of the officer’s ability and in a professional and competent manner (Article 25(1)(d) DPJL)
The specific tasks of the DPO are set out in Article 26 DPJL and include:
Informing and advising on compliance with the DPJL, DPAJL and other applicable data protection laws
Monitoring compliance with the law and with the internal policies of the organization, including assigning responsibilities,
raising awareness and training staff
Advising on and monitoring data protection impact assessments, where requested, and
Cooperating and acting as point of contact with the Information Commissioner
COLLECTION & PROCESSING
Controllers are responsible for compliance with a set of core principles that apply to all processing of personal data. Under these
principles, personal data must be (Article 8(1) DPJL):
Processed lawfully, fairly and in a transparent manner in relation to the data (‘lawfulness, fairness and transparency’)
Collected for specified, explicit and legitimate purposes and once collected, not further processed in a manner
incompatible with those purposes (‘purpose limitation’)
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data
minimization’)
Accurate and, where necessary, kept up-to-date, with reasonable steps being taken to ensure that personal data that are
inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the
data are processed (‘storage limitation’) and
Processed in a manner that ensures appropriate security of the data, including protection against unauthorized or unlawful
processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures
(‘integrity and confidentiality’)
Additionally, the controller is responsible for and must be able to demonstrate compliance with the above principles
(‘accountability’) (Article 6(1)(a) DPJL).
Accountability is a core theme of the DPJL. Organizations must not only comply with the DPJL, but also be able to demonstrate
compliance, perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and
appropriate governance will all form a key role in achieving (and being able to demonstrate) accountability.
Legal Basis for Processing
The DPJL works slightly differently to the GDPR in terms of establishing a legal basis for processing.
Data controllers may collect and process personal data when any of a number of conditions are met (Article 9 and Schedule 2
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jersey 562 | | | www.dlapiperdataprotection.com
DPJL). The most frequently relied upon are as follows:
The consent of the data subject
The processing is necessary for:
The performance of a contract to which the data subject is a party, or
The taking of steps at the request of the data subject with a view to entering into a contract
The processing is necessary to comply with a data controller’s legal obligations (other than one imposed by contract)
The processing is necessary to protect the data controller’s vital interests
The processing is necessary for:
The administration of justice
The exercise of any functions conferred on any person by or under any enactment
The processing is necessary for taking legal advice or the establishment, exercise or defense of legal claims
The exercise of any functions of the Crown, the States or any public authority, or
The exercise of any other functions of a public nature with a legal basis in Jersey law to which the controller is
subject and exercised in the public interest by any person
The processing is necessary for the legitimate interests pursued by the controller or by the third party or parties
to whom the data are disclosed, unless:
The processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or
legitimate interests of the data subject, in particular where the subject is a child, or
The controller is a public authority, or
The processing is necessary for reasons of substantial public interest provided for by law and is subject to
appropriate protections to protect the rights and interests of the data subject
Special Categories of Data
Where special category personal data is processed, at least one of a more restrictive list of conditions than those for personal
data must be satisfied (Article 9 and Schedule 2 Part 2 DPJL). Unlike the GDPR, personal data may also be processed on the basis
of the conditions for processing special category data. The most frequently relied upon bases for processing special category data
are as follows:
The explicit consent of the data subject
The processing is necessary to comply with a data controller’s legal obligations (other than one imposed by contract)
The processing is necessary for the purposes of exercising or performing any right, obligation or public function conferred
or imposed by law on the controller in connection with employment, social security, social services or social care
The processing is necessary for taking legal advice or the establishment, exercise or defense of legal claims
The processing is necessary for reasons of substantial public interest provided for by law and is subject to appropriate
protections to protect the rights and interests of the data subject
The processing is necessary to protect the vital interests of the data subject or of another natural person where the data
subject is physically or legally incapable of giving consent
The processing relates to personal data which are manifestly made public by the data subject
The processing is necessary for archiving or research
The processing is necessary for the prevention of unlawful acts (or malpractice / mismanagement)
The processing is necessary for certain insurance-based purposes, or
The processing is necessary for medical purposes and is undertaken by a health professional
Processing for a Secondary Purpose
Increasingly, organizations wish to ‘re-purpose’ personal data use data collected for one purpose for a new purpose which was(ie,
not disclosed to the data subject at the time the data were first collected). This is potentially in conflict with the core principle of
purpose limitation, which aims to ensure that the rights of data subjects are protected. The DPJL sets out a series of factors that
the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data
were initially collected (Article 13 DPJL)). These include:
Any link between the original purpose and the new purpose
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jersey 563 | | | www.dlapiperdataprotection.com
The context in which the data have been collected
The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions
are processed (with the inference being that if they are, it will be much harder to form the view that a new purpose is
compatible)
The possible consequences of the new processing for the data subjects, and
The existence of appropriate safeguards
Transparency
The data controller must provide the data subject with “fair processing information” (Article 12 DPJL), which includes:
The identity and contact details of the controller, and where applicable, the controller’s representative
The contact details of the data protection officer (if any)
The purposes for which the data are intended to be processed and the legal basis for the processing
An explanation of the legitimate interests pursued by the controller or by a third party, if the processing is based on those
interests
The recipients or categories of recipients of the personal data (if any)
Where applicable, the fact that the controller intends to transfer personal data to a third country or international
organization and whether or not there is an adequate level of protection for the rights and freedoms of data subjects in
that country or organization
The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period
Information concerning the rights of data subjects
Where the processing is based on consent, the existence of the right to withdraw consent
The existence of any automated decision-making and any meaningful information about the logic involved in such
decision-making and the significance of any such decision-making for the data subject
A statement of the right to complain to the Information Commissioner
Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter
into a contract, as well as whether the data subject is obliged to provide the personal data and the possible consequences
of failing to provide such data
Where the personal data are not obtained directly from the data subject, information identifying the source of the data
Any further information that is necessary, having regard to the specific circumstances in which the data are or are to be
processed, to enable processing in respect of the data subject to be fair
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
while others only apply in limited circumstances. Controllers must provide information on action taken in response to requests
within four weeks as a default, with a limited right for the controller to extend this period a further eight weeks where the
request is onerous. These periods are slightly shorter than those set out in the GDPR.
Right of access (Article 28 DPJL)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 31 DPJL)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 32 DPJL)
Data subjects may request erasure of their personal data.
The right is not absolute; it only arises in a narrow set of circumstances, notably where the controller no longer needs the data
for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jersey 564 | | | www.dlapiperdataprotection.com
1.
2.
3.
objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 33 DPJL)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed other than for legal
claims of the data subject or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 34 DPJL)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format.
Right to object (Article 21 DPJL)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is for a public function. Controllers will then have to suspend processing of the data until such time as they
demonstrate ‘compelling legitimate grounds’ for processing that override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time (Article 36 DPJL).
The right not to be subject to automated decision taking, including profiling (Article 38 DPJL)
Automated decision-making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
Necessary for entering into or performing a contract
Authorized by Jersey law or by the law of another jurisdiction in the British Isles or by EU or member
state law, or
The data subject has given their explicit consent
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the controller must implement suitable
measures to safeguard the data subject’s rights and freedoms and legitimate interests, including the right to obtain human
intervention on the part of the controller, so that the data subject can express his or her point of view and contest the decision.
Children’s consent to information society services (Article 11(4))
Article 11(4) of the DPJL stipulates that a child may only provide his or her own consent to processing in respect of information
society (primarily, online) services, where that child is over 13 years of age. Otherwise, a parent (or other responsible adult) must
provide consent on the child’s behalf.
Processing agreements
The rules on agreements (or other legally binding instruments) between controllers and
processors have been significantly enhanced.
The controller must appoint the processor in the form of a that sets out:binding written agreement
The and of the processingsubject matter duration
The and of the processingnature purpose
The and , andtype of personal data categories of data subjects
The obligations and rights of the controller
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jersey 565 | | | www.dlapiperdataprotection.com
The agreement must also provide that the processor must:
Only act on the controller’s instructions (unless legally obliged to do otherwise)documented
Impose on all who process the relevant dataconfidentiality obligations personnel
Ensure the of the personal data that it processessecurity
Abide by the rules regarding appointment of sub-processors
Implement measures to assist the controller in complying with the rights of data subjects
Assist the controller in:
Complying with its data security obligations
Complying with its obligations (both to a supervisory authority and individual datapersonal data breach
subjects), and
Completing and Data Protection Impact Assessments obtaining approvals from Supervisory
where requiredAuthorities
At the controller’s election, either at the end of the relationship (except asreturn or destroy the personal data
required by law), and
Provide the controller with to demonstrate compliance with the DPJL, which, in practice,all information necessary
means complying with an audit/inspection regime
TRANSFER
The DPJL (Article 67) provides that data controllers and processors may only transfer personal data out of the European
Economic Area if one of the following conditions are met:
The transfer is to a jurisdiction which has been held by the European Commission to provide an adequate level of
protection for personal data.
The transfer is made subject to ‘appropriate safeguards’ (Article 68 DPJL), which may include:
A legally binding and enforceable instrument between public authorities
Binding corporate rules approved by Jersey’s Information Commissioner or another competent supervisory
authority under the GDPR (or equivalent statutory provisions), or
Standard data protection clauses adopted by the Authority or by a competent supervisory authority and approved
by the European Commission. It should be noted that the EDPB approved a new set of standard contractual
clauses in June 2021, which are expected to be approved by the Jersey Office of the Information Commissioner
shortly.
An exemption applies, the most commonly utilized of which are as follows:
The transfer is specifically required by a Jersey court
The data subject explicitly consents
The transfer is necessary for the performance of a contract to which the data subject is party or the
implementation of pre-contractual measures taken at the data subject’s request
The transfer is necessary to carry out a contract between the data controller and a third party if the contract
serves the data subject’s interests
The transfer:
Is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal
proceedings)
Is necessary for the purpose of obtaining legal advice, or
Is otherwise necessary for the purposes of establishing, exercising or defending legal rights
The transfer protects the data subject’s vital interests where:
The data subject is physically or legally incapable of giving consent
The data subject has unreasonably withheld consent, or
The controller or processor cannot reasonably be expected to obtain the explicit consent of the data
subject
Transfers post Schrems II
The burden on Jersey controllers and processors of transferring personal data to unauthorised jurisdictions has increased
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jersey 566 | | | www.dlapiperdataprotection.com
1.
2.
3.
4.
5.
6.
following the CJEU’s Case C-311/18 Data Protection Commissioner v Facebook Ireland Limited, Maximillian Schrems and
intervening parties (” “).Schrems II
The Jersey Information Commission confirmed that transfers in reliance of the EU-US Privacy Shield framework are no longer
valid but that, following Schrems II, where Standard Contractual Clauses (“SCCs”) are used, controllers (and where applicable
processors) must ensure that they have considered their transfers and taken any steps appropriate to ensure that they are lawful.
However, the guidance does not provide any assistance as to what steps need to be taken in order to ensure that the chosen
safeguards are appropriate. The required approach has since been clarified by the European Data Protection Board which
published Recommendations 01/2020 in June 2021 on measures that supplement transfer tools to ensure compliance with the EU
level of protection of personal data (see below).
The emphasis is now on controllers/processors to satisfy themselves that the transfers to unauthorised jurisdictions are properly
assessed (taking into account the law and practice of the recipient jurisdiction) and, as appropriate, put in place supplementary
measures.
CJEU jurisprudence is not binding in Jersey, as Jersey is not an EU member state. However, it is likely to be persuasive (as is the
EDPB guidance noted above).
The EDPB guidance referenced above recommends a 6 step process in relation to international transfers.
Know your transfers. Be aware of where the personal data so you know the level of protection provided there. Make
sure the data you transfer is adequate, relevant and limited to what is necessary.
Verify the transfer tool your transfer relies on.
Assess if there is anything in the law and/or practices of the third country that may impinge on the effectiveness of the
appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer.
Identify and adopt supplementary measures necessary to bring the level of protection of the data transferred up to
the EU standard of essential equivalence. This step is only necessary if your assessment has revealed issues with the third
party country’s safeguards. If no supplementary measure is suitable, the exporter must avoid, suspend or terminate the
transfer.
Take any formal procedural steps the adoption of your supplementary measure may require.
Re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third
countries and monitor if there have been or there will be any developments that may affect it. This is an ongoing duty.
In practice, the above requires a detailed and documented (” “). transfer impact assessment TIA
What about the UK?
The European Commission has now recognised the UK as an adequate jurisdiction for the purposes of international data transfer,
meaning that transfers to and from the UK and Jersey may continue without restriction.
Jersey controllers and processors who are subject to the UK GDPR by virtue of its extra territoriality provisions will also need to
consider whether they may need to continue using the existing standard contractual clauses – the UK is yet to make a decision on
replacing them for the purposes of the UK GDPR.
SECURITY
Controllers and processors must implement technical and organizational measures against unauthorized or unlawful processing of
personal data and against accidental loss or destruction of, or damage to, personal data that are proportionate to the risk of harm
posed to the rights of data subjects by such events (Article 21 DPJL).
‘Technical measures’ may include:
The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jersey 567 | | | www.dlapiperdataprotection.com
incident, and
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing
BREACH NOTIFICATION
The DPJL includes obligations related to ‘personal data breaches’, which are defined in the DPJL as breaches of security leading to
the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored
or otherwise processed.
Data controllers must notify the Information Commissioner via an online portal ( ) that ahttps://oicjersey.org/breach-reporting/
personal data breach has occurred within 72 hours of becoming aware of the breach (Article 20 DPJL). A breach does not need to
be notified to the Information Commissioner where it is unlikely to result in a risk to the rights and freedoms of natural persons in
respect of their personal data. If there is a high risk that the personal data breach is likely to result in a risk to the rights and
freedoms of natural persons, the data controller must also notify those individuals.
Controllers are also required to keep a record of all data breaches (Article 20(5) DPJL) (whether or not notified to the
Information Commissioner) and permit audits of the record by the Information Commissioner.
ENFORCEMENT
In Jersey, the Authority is responsible for the enforcement of the DPJL and DPAJL. Its day-to-day powers are delegated to the
Information Commissioner, with the exception of the issuing of public statements and imposing fines.
The Authority has wide powers to require information and to enter and search premises (Schedule 1 DPAJL). It may also conduct
and/or require an audit of a controller or processor.
The Information Commissioner may take the following enforcement actions:
Reprimand
The DPAJL does not specify the conditions upon which a reprimand may be issued; however most will likely take the form of a
notice, and may be issued in combination with an administrative fine or a formal undertaking by the controller or processor to
meet future compliance with any part of the DPJL or DPAJL.
Warning
This sanction applies where it appears to the Information Commissioner that the intended processing or other act or omission is
likely to contravene the DPJL or DPAJL. Such warnings may be issued by way of a formal notice in advance of any intended
processing.
Order
This refers to a formal notice of enforcement and can order any or all of the following:
Bring specified processing operations into compliance with the DPAJL or DPJL, or take any other specified action required
to comply with the same, in a manner and within a period specified in the order
Notify a data subject of a personal data breach
Comply with a request made by the data subject to exercise a data subject right
Rectify or erase personal data
Restrict or limit the recipient’s processing operations, and
Notify persons to whom the personal data has been disclosed of the rectification, erasure or temporary restriction on
processing
Administrative Fines
https://www.dlapiperdataprotection.com
https://oicjersey.org/breach-reporting/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jersey 568 | | | www.dlapiperdataprotection.com
The DPAJL also empowers the Authority to impose administrative fines (Article 26 DPAJL), which may be imposed in addition to
any other sanctions.
An administrative fine must not exceed £300,000 or 10% of the person’s total global annual turnover or total gross income in the
preceding financial year, whichever is the higher (Article 27(2) DPAJL).
An administrative fine ordered against any person whose processing of data that gave rise to the fine was in the public interest and
not for profit must not exceed £10,000 (Article 27(3) DPAJL).
Subject to the above limits, an administrative fine of up to £5 million may be ordered for:
Failure to make reasonable efforts to verify that a person giving consent to the processing of the personal data of a child
as required by Article 11(4) of the DPJL (information society services) is a person duly authorized to give consent to that
processing
Breach of Article 7 of the DPJL (obligations of joint controllers)
Breach of Part 3 of the DPJL (which includes record-keeping obligations, data protection by design and default, data
protection impact assessments, appointment conditions for data processors and breach notification)
Breach of Part 4 of the DPJL (which includes information security obligations and general obligations on processors), and
Breach of Part 5 of the DPJL (which includes obligations relating to data protection officers)
An administrative fine of up to £10 million may be imposed for:
Breach of Part 2 of the DPJL (which includes fundamental duties of controllers, including compliance with the data
protection principles, data subject information provisions and rules regarding consent) other than for Articles 7 and 11(4),
and
Breach of Part 6 of the DPJL (Data Subject Rights)
Right to claim compensation
The DPJL makes specific provision for individuals to bring private claims against controllers and processors.
Where a controller has breached the transparency and data subject rights provisions of the DPJL, a data subject may ask the Royal
Court to make such order as it considers appropriate, which may include:
An award of compensation for loss, damage or distress in respect of the violation
An injunction (including an interim injunction) to restrain any actual or anticipated violation
A declaration that the controller is responsible for the violation or that a particular act, omission or course of conduct on
the part of the controller would result in a violation, and
Requiring the controller to give effect to the transparency and data subject rights provisions (unless, in the case of a data
subject access request, the Royal Court is satisfied that complying with the request will cause serious harm to a third
party’s physical or mental health)
Any person who has suffered “loss, damage or distress” as a result of a breach of the DPJL has the right to receive compensation
(Article 69 DPJL) from the controller or processor. This means that individuals will be able to claim compensation for distress
even where they are not able to prove financial loss. In addition, data subjects have the right to mandate a consumer protection
body to exercise rights and bring claims on their behalf (Article 70). Individuals also enjoy the right to lodge a complaint with the
Information Commissioner in relation to any violation of the DPJL that affects him or her (Article 19 DPAJL). Last, all natural and
legal persons, including individuals, controllers and processors, have the right to complain to the Royal Court about a decision, or
failure to make a decision, of the Authority or Information Commissioner concerning him or her.
Offenses
The DPJL contains the following offenses:
Unlawfully obtaining personal data (Article 71 DPJL)
Requiring a person to produce certain records (Article 72 DPJL)
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jersey 569 | | | www.dlapiperdataprotection.com
Providing false information (Article 73 DPJL), and
Obstruction (Article 74 DPJL)
The DPAJL contains the following offenses:
Failing to register with the Authority as a controller or processors (Art.17(6) DPAJL), and
Failing to comply with an order made by the Authority following a breach determination (Article 25(8) DPAJL)
If a company or other organization commits a criminal offense under the DPJL or DPAJL, any partner, director, manager, secretary
or similar officer or someone purporting to act in such capacity is personally guilty of an offense in addition to the corporate body
if:
The offense was committed with his or her consent or connivance, or
The offense is attributable to any neglect on his or her part
ELECTRONIC MARKETING
The DPJL applies to most electronic marketing activities, as they involve some use of personal data an email address that(eg,
includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate interests
of the controller.
Where consent is relied upon, the strict standards for consent under the DPJL apply, and marketing consent forms will invariably
need to incorporate clearly worded opt-in mechanisms (such as the checking of an unchecked consent box, or the signing of a
statement, and merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).not
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 36 DPJL).
ONLINE PRIVACY
Jersey has no specific law regulating online privacy; however, the DPJL and DPAJL generally apply.
KEY CONTACTS
Carey Olsen Jersey LLP
www.careyolsen.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Huw Thomas
Counsel
Carey Olsen Jersey LLP
T +44 1534 888900
huw.thomas@careyolsen.com
https://www.dlapiperdataprotection.com
http://www.careyolsen.com
https://www.dlapiperdataprotection.com/scorebox/
https://www.careyolsen.com/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jordan 570 | | | www.dlapiperdataprotection.com
JORDAN
Last modified 16 February 2022
LAW
Jordan currently does not have a comprehensive data protection law in force.
As of yet, Data Protection is not regulated in Jordan under a specific law. However, the Personal Data Protection law No. (__) for
the Year 2020 is still a draft at the Legislation and Opinion Bureau.
DEFINITIONS
Definition of Personal Data
There is no specific definition in the laws or the regulations.
Definition of Sensitive Personal Data
There is no specific definition in the laws or the regulations.
NATIONAL DATA PROTECTION AUTHORITY
Not applicable.
REGISTRATION
No registration required.
DATA PROTECTION OFFICERS
Not applicable.
COLLECTION & PROCESSING
The legislations in Jordan are silent in this regard.
TRANSFER
The Cybercrime Law No. (27) of 2015 (‘ ’) generally acts to criminalise unlawful access to websites orCybercrime Law
information systems such as access without authorisation, permission or in a manner that breaches the said authorisation or
permission.
Anyone who intentionally enters a computer network or an information system by any means without authorisation, or in
violation of or exceeding the authorisation, shall be punished by imprisonment for a period of no less than a week and not
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jordan 571 | | | www.dlapiperdataprotection.com
exceeding three months, or by a fine of no less than (100) one hundred dinars and not more than (200) two hundred dinars, or
both of these penalties.
If the entry stipulated above is accompanied with the intention to cancel, delete, add, destroy, disclose, damage, withhold, modify,
change, transfer or copy data or information, or stop or disrupt the work of the information network or the information network
information system, then the offender shall be imprisoned for a period of not less than three months and not exceeding one year
and a fine of no less than (200) two hundred dinars and not more than (1,000) one thousand dinars.
SECURITY
Anyone who intentionally enters the information network or information system by any means without permission, or in violation
of or exceeding authorisation with the aim of accessing data or information not available to the public and that affects national
security, foreign relations of the Kingdom, public safety or the national economy shall be punished with imprisonment for a period
of no less than four months and a fine of no less than (500) five hundred dinars and not more than (5000) five thousand dinars.
If the entry referred to above is accompanied with the intention of cancelling, destroying, modifying, changing, transferring, copying
or disclosing such data or information, the perpetrator shall be punished with temporary labour and a fine of no less than (1,000)
thousand dinars and not more than (5000) five thousand dinars.
Anyone who intentionally accesses a website to view data on information not available to the public that affects national security,
the Kingdom’s foreign relations, public safety, or the national economy shall be punished by imprisonment for a period of no less
than four months and a fine of no less than (500) five hundred dinars.
If the entry referred to in the paragraph directly above is accompanied with the intention to cancel, destroy, modify, change, move
or copy such data or information, the perpetrator shall be punished with temporary labour and a fine of no less than (1,000) one
thousand dinars and not more than (5,000) five Thousands of dinars.
BREACH NOTIFICATION
In the relation to the Cybercrimes, the injured party shall have the right to submit a complaint before the Cybercrime Unit and
the latter shall review the complaint and transfer it to the court.
Mandatory breach notification
It is stated in the aforementioned draft Personal Data Protection law, under Article (6), that a unit will be established within the
Ministry of Digital Economy and Entrepreneurship, which will be responsible for preparing a regulation that controls the process
of receiving notifications and complaints regarding any violations that may affect personal data.
The second law is “Cyber Security Law No. 16 of 2019” as it has established a National Center for Cyber Security, which receives
complaints and reports related to cyber security and cyber security incidents. The law opened the door for further collaboration
with different official entities according to its sphere of specialty.
The Cybersecurity Framework for Jordan Financial Sector – V. 1 – July, 2021, states that organizational-level severity rating is
performed by the entity to define the point at which the incident should be treated as a disaster, in addition to determine
escalation procedures, as well as human resources and time durations to recover. The entity has to notify the Central Bank of
Jordan / Financial Cyber Emergency Response Team about the incident according to the following timelines:
Initial notification within 2 hours from confirming time.
After the closure of the incident for “Low” incidents.
Within 8 hours from confirming the incident and one time every two business days for “Medium” incidents.
Within 4 hours from confirming the incident and once a day for “High” incidents.
Additionally, Article (49) of the Instructions for Handling Cyber Risks No. (26/1/1/1984) for the Year 2018 stipulates that “the
company shall notify the Central Bank in the event of discovering that it has been exposed to any cyber incident or any attempt of
cyber-attack characterised by a high degree of danger to its systems or networks, no later than 72 hours from the moment of discovery of the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jordan 572 | | | www.dlapiperdataprotection.com
cyber-event and according to the mechanism that will be adopted by the Central Bank, and inform the relevant security services of any case
of embezzlement, forgery, theft or fraud resulting from the cyber event as soon as it is discovered and in accordance with the relevant laws
and instructions.”
ENFORCEMENT
The Cybercrime Unit is the body responsible to deal with any complaints and to assign it to the court.
In general, the court shall enforce the sanctions that are stated in the Cybercrime Law, and any other applicable laws and
regulations.
ELECTRONIC MARKETING
The e-Procurement Instructions of 2018 mandates the use of JONEPS (Jordan Online E-Procurement System) in the
implementation of public procurement.
The user of the system means the government entity, government unit, or interested party that submitted an application for
registration on the electronic system and was approved by the electronic system manager.
The instructions explicitly state that the user of the system shall maintain the confidentiality of the information available in the
system and take all necessary precautions and measures that would prevent the leakage of any information to any person, including
the following:
Prevent the disclosure of information to persons who are not authorised to view or disclose it, and apply the highest
levels of privacy, confidentiality, security and transparency of information.
Maintaining the security and integrity of data from alteration or modification by any party that does not have the authority
to do so.
Additionally, the tenderer shall provide security controls to protect the system and devices, such as using anti-virus programs,
using strong and modern programs and programs to detect intrusions from people or programs, and constantly updating
information security programs.
Finally, the user of the system must use the system in a safe and sound manner, and it bears responsibility for any wrong use by it
or by its users.
ONLINE PRIVACY
The legislations in Jordan are silent in this regard.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Jordan 573 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Aljazy& Co.
www.aljazylaw.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Omar M.H. Aljazy
Managing Partner
Aljazy& Co.
T + (962 6) 5654477
oaljazy@aljazylaw.com
Sewar Smierat
Head of Corporate Department
Aljazy& Co.
T + (962 6) 5654477
ssmierat@aljazylaw.com
https://www.dlapiperdataprotection.com
http://www.aljazylaw.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kazakhstan 574 | | | www.dlapiperdataprotection.com
KAZAKHSTAN
Last modified 21 February 2022
LAW
The main legal act regulating personal data in Kazakhstan is the law of the Republic of Kazakhstan No. 94-V dated May 21, 2013
‘On Personal Data and Its Protection’ (the ‘Law’).
There are also a number of other laws providing for personal data protection requirements, including:
The Law on Informatisation
The Law on Communication
The Labour Code of Kazakhstan
DEFINITIONS
Definition of personal data
‘ ‘ is any information relating to a specific individual (personal data subject) or a personal data subject who can bePersonal data
identified on the basis of such information which is recorded on electronic, paper and / or another tangible medium.
The law divides personal data into:
‘ ‘, which is personal data that can be accessed freely with the consent of theGenerally accessible personal data
personal data subject or to which confidentiality requirements do not apply in accordance with Kazakh law, and
‘ ‘, which is personal data, access to which is limited by Kazakh lawLimited access personal data
Definition of sensitive personal data
Kazakh law does not provide for express definition of sensitive personal data.
In certain cases, sensitive personal data may qualify as limited access personal data and, as such, it is additionally regulated by
sector-specific laws of Kazakhstan (e.g. medical secrecy, subscriber data). In our replies, we do not consider sector-specific
restrictions which may affect personal data regulation (e.g. Kazakh law prohibits transfer of subscriber data, which includes, inter
, personal data of subscribers).alia
NATIONAL DATA PROTECTION AUTHORITY
State regulation of personal data and its protection is carried out by various state authorities.
The main state authority in the field of personal data protection is the Ministry of Digital Development, Innovations and Aerospace
Industry of the Republic of Kazakhstan ( ). The Ministry: “Ministry”
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kazakhstan 575 | | | www.dlapiperdataprotection.com
participates in implementation of the state policy on personal data and its protection;
develops the procedure for implementation of personal data protection measures by the owner and/or operator of a
personal data database and a third party related to the owner and/or operator of a personal data database;
develops the rules to be followed by the personal data database owner and (or) operator when determining the scope of
personal data necessary and sufficient for the performance of their tasks;
reviews requests of a personal data subject or his/her legal representative on compliance of the content of personal data
and methods of its processing with the purpose of its processing and makes a respective decision;
takes measures on bringing persons who have violated personal data laws of Kazakhstan to liability in accordance with the
laws of Kazakhstan;
requests the owner and/or operator of a personal data database and a third party related to the owner and/or operator
of a personal data database to clarify, block or destroy inaccurate or illegally obtained personal data;
takes measures on improving protection of rights of personal data subjects;
approves the rules for collection and processing of personal data;
approves the rules for conducting a survey in order to assess the security level when storing, processing and distributing
limited access personal data contained in electronic information resources and such rules should be agreed with the
National Security Committee of the Republic of Kazakhstan;
exercises other powers provided by Kazakh law.
In relation to personal data and its protection, the Government of Kazakhstan:
develops the main directions of state policy
manages activities of central and local executive bodies
approves the procedure for determining by an owner and / or operator of a database containing personal data of the list
of personal data that are necessary and sufficient for performing the owner’s and / or operator’s tasks
approves the procedure for implementation of measures for the protection of personal data by an owner and / or an
operator of a database containing personal and a third party having access to such database, etc
In relation to personal data and its protection, state Authorities, each within its competence:
develop and / or approve regulatory acts
consider appeals of individuals and / or legal entities regarding personal data and protection of personal data issues
take measures for bringing persons who have violated personal data legislation of Kazakhstan to liability
exercise other powers provided for by Kazakh law
Supervision over observance of Kazakh law in respect of personal data and its protection is carried out by the prosecution
authorities of Kazakhstan.
REGISTRATION
Under Kazakh law, there is no express registration requirement in relation to personal data and its protection.
DATA PROTECTION OFFICERS
Under Kazakh law, an owner and/or operator of a personal data database, which is a legal entity, should appoint a person
responsible for organizing the processing of personal data. Such person is obliged to:
exercise internal control over observance by the owner and/or operator of a personal data database and its employees of
Kazakh law requirements in relation to personal data and its protection;
inform the employees of an owner and/or operator of the provisions of Kazakh law in respect of processing and
protection of personal data;
exercise control over receipt and processing of applications from personal data subjects or their legal representatives.
In addition, an owner and/or operator of a database containing personal data and a third party related to the owner and/or
operator should, alia, when collecting and processing personal data, determine list of persons carrying out collection andinter
processing of personal data or having access to it.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kazakhstan 576 | | | www.dlapiperdataprotection.com
COLLECTION & PROCESSING
Kazakh law requires to carry out collection and processing of personal data with the consent of a personal data subject or his/her
legal representative. Such consent should be given in writing, in the form of an electronic document, via the personal data
protection service or otherwise using protective measures that do not contradict Kazakh law.
As a general rule, personal data subjects or their representatives may revoke their consent. However, the consent may not be
revoked in cases where such revocation contradicts requirements of Kazakh law or there are any unfulfilled obligations.
Kazakh law allows the collection and processing of personal data without the consent of a personal data subject or his / her legal
representative in cases explicitly prescribed by Kazakh law. Such cases may include, inter alia:
implementation of activities of law enforcement bodies and courts;
implementation of state statistical activities;
use of depersonalised personal data by the state authorities for statistical purposes;
implementation of international treaties ratified by Kazakhstan;
protection of constitutional rights and freedoms of a person, if obtaining the consent of a personal data subject or his/her
legal representative is impossible;
carrying out legal professional activities of a journalist, carrying out mass media, scientific, literary or other creative
activities, subject to compliance with requirements of Kazakh law;
publication of personal data in accordance with Kazakh law, including personal data of candidates for elective public
offices;
failure by a personal data subject to fulfil its obligation to provide personal data in accordance with Kazakh law;
receipt by the state authority regulating, controlling and supervising financial market and financial organisations of
information from individuals and legal entities in accordance with Kazakh law;
receipt by the state revenue authorities of information from individuals and legal entities for purposes of tax administering
and control;
storage of a backup copy of electronic information resources containing limited access personal data to a national backup
platform for storing electronic information resources in cases provided for by Kazakh law;
the use of personal data of entrepreneurs related directly to their business activities to form a register of business
partners, subject to compliance with the requirements of Kazakh law; etc.
Under the Law, processing of personal data should be limited to the achievement of specific, predetermined and legitimate goals.
Processing of personal data that is incompatible with the purposes of collecting personal data is not allowed. Personal data, the
content and volume of which is excessive in relation to the purposes of its processing, should not be processed.
Under Kazakh law, access to personal data is determined by the terms of consent for collection and processing of personal data,
unless otherwise provided by Kazakh law. A person should be denied access to personal data if he / she refuses to assume
obligations to ensure compliance with the requirements of the Law or may not ensure it.
Persons having access to limited access personal data should ensure its confidentiality.
Under Kazakh law, accumulation of personal data is carried out by collecting personal data that is necessary and sufficient to fulfill
the tasks performed by an owner and / or an operator of a database containing personal data and by a third party having access to
such database.
Personal data should be stored in databases located in Kazakhstan.
The period for retention of personal data is determined by the date of fulfillment of the purpose(s) for collection and processing
of the personal data, unless otherwise provided by Kazakh law.
Kazakh law provides for additional requirements in respect of electronic resources containing personal data.
TRANSFER
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kazakhstan 577 | | | www.dlapiperdataprotection.com
Transfers of personal data are allowed if they do not violate the rights and freedoms of a personal data subject and do not affect
the legitimate interests of other individuals and / or legal entities.
The transfer of personal data in cases that go beyond the previously stated purposes of its collection is permitted if carried out
with the consent of a personal data subject or his / her legal representative.
The cross-border transfer of personal data to other countries is carried out only in cases where such countries ensure protection
of personal data.
The cross-border transfer of personal data to countries that do not ensure protection of personal data is possible:
With the consent of the personal data subject or his / her legal representative to the cross-border transfer of his / her
personal data
In cases stipulated by international treaties ratified by Kazakhstan
In cases provided for by Kazakh law, if it is necessary for protecting the constitutional system, public order and public
health and morals and rights and the freedoms of a person in Kazakhstan
In case of protection of constitutional rights and freedoms of a person, if obtaining the consent of a personal data subject
or his / her legal representative is impossible
Kazakh law may in certain cases prohibit the cross-border transfer of personal data.
SECURITY
Protection of personal data is guaranteed by the state and is carried out in a manner determined by the Kazakhstan Government.
Collection and processing of personal data is carried out only if its protection is ensured. Kazakh law defines protection of
personal data as a set of legal, organization and technical measures.
The owner and / or operator of a personal data database and a third party having access to such database are required to take
measures for protecting personal data in a manner determined by the Kazakhstan Government, which ensure:
prevention of unauthorized access to personal data
timely detection of the facts relating to an incident of unauthorized access to personal data, if such unauthorized access
could not be prevented
minimizing adverse effects of unauthorized access to personal data
the state technical service’s access to objects of informatisation that use, store, process and distribute limited access
personal data contained in electronic information resources, so that the state technical service could carry out a survey to
asses the security level of the processes of storage, processing and distribution of limited access personal data contained
in electronic information resources in the manner determined by the authorized body.
The obligations of an owner and / or operator of a database containing personal data and a third party having access to such
database to protect personal data arise from the moment of collecting the personal data and remain in force until such personal
data is destroyed or depersonalized.
Kazakh law provides for additional requirements with regard to protection of electronic resources containing personal data.
BREACH NOTIFICATION
An owner and / or operator of a database containing personal data should notify the authorized state body of security incidents
related to an illegal access to the personal data of limited access.
ENFORCEMENT
Generally, all state authorities of Kazakhstan, depending on their competences, (1) may consider appeals of individuals and / or
legal entities regarding personal data and protection of personal data issues and (2) take measures against persons who have
violated the personal data legislation of Kazakhstan.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kazakhstan 578 | | | www.dlapiperdataprotection.com
Prosecution Authorities of Kazakhstan carry out supervision over compliance with personal data legislation of Kazakhstan and may
also take measures on bringing persons who have violated personal data legislation of Kazakhstan to liability. Interested persons
may file complaints to the Prosecutor’s Office and the Ministry regarding breach of the legislation in relation to personal data and
its protection.
Kazakh law provides for administrative and criminal liability for violation of Kazakh law in relation to personal data and its
protection.
ELECTRONIC MARKETING
Kazakh law does not expressly regulate personal data and its protection in relation to electronic marketing. However, electronic
marketing should be carried out in compliance with the law ‘On Advertisement’ and the law. As such, for example, the consent of
a personal data subject should be obtained for the collection and processing of his / her personal data for electronic marketing
purposes.
ONLINE PRIVACY
Kazakh law does not specifically regulate online privacy.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dinara Jarmukhanova
Partner, Head of Kazakh practice
Centil Law Firm
T +7 727 315 0784
dinara.jarmukhanova@centil.law
Dariga Adanbekova
Associate
Centil Law Firm
T +7 727 315 0784
dariga.adanbekova@centil.law
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kenya 579 | | | www.dlapiperdataprotection.com
KENYA
Last modified 9 December 2021
LAW
The Data Protection Act, 2019 (the “ ”) came into force on 25th November, 2019 and is now the primary statute on dataAct
protection in Kenya. It gives effect to Article 31 c) and d) of the Constitution of Kenya, 2010 (right to privacy).
In October 2020, by virtue of the powers conferred to him under the Act, the Cabinet Secretary for Information, Communication,
Technology, Innovation and Youth Affairs gazetted the Data Protection (Civil Registration) Regulations, 2020 (the “Regulations
”). The Regulations apply to civil registries involved in processing personal data for registrations such as births, deaths, adoptions,
persons, passports and marriages.
Since the Data Protection Commissioner’s (DPC) appointment on 16 November 2020, significant efforts have been made in
developing regulations for the implementation of the Act.
Data Protection (Compliance & Enforcement) Regulation, 2021 – sets out the complaints handling procedures
and enforcement mechanisms in the event of non-compliance with the provisions of the Act;
Data Protection (Registration of Data Controllers & Data Processors) Regulations, 2021 – provides for the
registration of data controllers and data processors with the DPC. The threshold for mandatory registration is also set
out under these regulations; and
Data Protection (General) Regulations, 2021 – elaborates in more detail the rights of data subjects, restrictions on
commercial use of personal data, duties and obligations of data controllers and data processors, elements of implementing
data protection by design or default, notification of personal data breaches, transfer of personal data outside Kenya,
conduct of data protection impact assessment and other general provisions.
The above regulations are, however, yet to be passed into law and are currently awaiting signature by the CS after which they shall
be published in the Kenya Gazette. Once passed into law, it is expected that the Act shall become fully operational.
DEFINITIONS
Definition of personal data
Section 2 of the Act
Personal data is defined as data relating to an identified or identifiable natural person.
Definition of sensitive personal data
Section 2 of the Act
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kenya 580 | | | www.dlapiperdataprotection.com
Sensitive personal data is defined as data revealing the natural person’s race, health status, ethnic social origin, conscience, belief,
genetic data, biometric data, property details, marital status, family details including names of the person’s children, parents, spouse
or spouses, sex or the sexual orientation of the data subject.
NATIONAL DATA PROTECTION AUTHORITY
Part II of the Act
The Act established the Office of the Data Protection Commissioner (DPC) whose mandate includes overseeing the
implementation and enforcement of the provisions of the Act. The DPC is also tasked with the maintenance of the register of data
controllers and processors, receiving and investigation of complaints under the Act and carrying out inspections of public and
private entities to evaluate the processing of personal data.
REGISTRATION
Section 18 of the Act
Data processors and data controllers are required to be registered with the DPC. The DPC, however, has discretion to prescribe
the thresholds for mandatory registration based on:
the nature of industry;
the volumes of data processed; and
whether sensitive personal data is being processed.
The provides for theData Protection (Registration of Data Controllers & Data Processors) Regulations, 2021
registration of data controllers and data processors with the DPC. The threshold for mandatory registration is also set out under
these regulations. However, the regulations are yet to be passed into law and are currently awaiting signature by the CS after
which they shall be published in the Kenya Gazette.
DATA PROTECTION OFFICERS
Section 24 of the Act
The Act makes provisions for the designation of Data Protection Officers (DPOs) but this obligation is not mandatory.
DPOs can be members of staff and may perform other roles in addition to their roles. A group of entities can share a DPO and
the contact details of the DPO must be published on the organisation’s website and communicated to the DPC.
DPOs have the following roles:
advising the data controller or data processor and their employees on data processing requirements provided under the
Act or any other written law;
ensuring compliance with the Act;
facilitating capacity building of staff involved in data processing operations;
providing advice on data protection impact assessment; and
co-operating with the DPC and any other authority on matters relating to data protection.
DPO’s under the Regulations also have the following additional roles:
monitoring and evaluating the efficiency of the data systems in the organization; and
keeping written records of the processing activities of the civil registration entity.
COLLECTION & PROCESSING
Section 25 of the Act
The processing of personal data must comply with the principles prescribed in this part. It must be:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kenya 581 | | | www.dlapiperdataprotection.com
a.
b.
a.
b.
c.
d.
e.
f.
g.
processed in accordance with the right to privacy of the data subject;
processed lawfully, fairly and in a transparent manner in relation to any data subject;
collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those
purposes;
adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
collected only where a valid explanation is provided whenever information relating to family or private affairs is required;
accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate
personal data is erased or rectified without delay;
kept in a form which identifies the data subjects for no longer than is necessary for the purposes which it was collected;
and
not transferred outside Kenya, unless there is proof of adequate data protection safeguards or consent from the data
subject.
Section 30 of the Act
The Act recommends personal data to be collected and processed lawfully. The lawful reasons for processing include:
Consent of the data subject; or
the processing is necessary:
for the performance of a contract to which the data subject is a party or in order to take steps at the request of
the data subject before entering into a contract;
for compliance with any legal obligation to which the controller is subject;
in order to protect the vital interests of the data subject or another natural person;
for the performance of a task carried out in the public interest or in the exercise of
official authority vested in the controller;
the performance of any task carried out by a public authority;
for the exercise, by any person in the public interest, of any other functions of a public nature;
for the legitimate interests pursued by the data controller or data processor by a third party to whom the data is
disclosed, except if the processing is unwarranted in any particular case having regard to the harm and prejudice
to the rights and freedoms or legitimate interests of the data subject; or
for the purpose of historical, statistical, journalistic, literature and art or scientific research.
It is an offence to process personal data without a lawful reason.
Under the Regulations civil registration entities must ensure that they collect only personal data permitted by the data subject and
that the appropriate steps are taken to ensure the quality and security of the personal data.
Where the registries intend to use such data for another purpose, they must either ensure that the purpose is compatible with
the initial purpose or, where that is not the case, seek fresh consent.
The Data Protection (General) Regulations, 2021 elaborate in more detail restrictions on commercial use of personal data,
duties and obligations of data controllers and data processors, elements of implementing data protection by design or default,
conduct of data protection impact assessment and other general provisions. However, the regulations are yet to be passed into
law and are currently awaiting signature by the CS after which they shall be published in the Kenya Gazette.
TRANSFER
Part VI of the Act
The transfer of personal data outside Kenya is highly regulated under the Act. Prior to any transfer the data controller or data
processor must provide proof to the DPC on the appropriate safeguards with respect to the security and protection of the
personal data including jurisdictions with similar data protection laws.
The consent of the data subject is required for the transfer of sensitive personal data out of Kenya.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kenya 582 | | | www.dlapiperdataprotection.com
Under the Regulations, civil registration registries cannot transfer personal data collected for civil registration purposes outside
Kenya without the written approval of the DPC.
The Data Protection (General) Regulations, 2021 elaborate in more detail transfer of personal data outside Kenya.
However, the regulations are yet to be passed into law and are currently awaiting signature by the CS after which they shall be
published in the Kenya Gazette.
SECURITY
Sections 41 and 42 of the Act
Data controllers and processors are required to implement the appropriate organizational and technical measures to implement
data protection principles in an effective manner.
Civil registration registries are mandated to formulate written data security procedures which must include the following:
instructions concerning physical protection of the database sites and their surroundings;
access authorizations to the database and database systems;
description of the means intended to protect the database systems and the manner of their operation for this purpose;
instructions to authorized officer of the database and database systems regarding the protection of data stored in the
database;
the risks to which the data in the database is exposed in the course of the civil registration entity’s ongoing activities;
the manner of dealing with information security incidents, according to the severity of the incident;
instructions concerning the management and usage of portable devices;
instructions with respect to conducting periodical audits to ensure that appropriate security measures, in accordance with
the Procedure and these Regulations exist; and
instructions regarding backup of personal data.
BREACH NOTIFICATION
Breach Notification
Section 43 of the Act
Data controllers have an obligation to notify the DPC of any breaches within 72 hours of becoming aware of a breach. On the
other hand, data processors are required to inform data controllers of any breach within 48 hours of becoming aware of such a
breach.
The data controller must notify the data subject of such breach without undue delay.
The Data Protection (General) Regulations, 2021 elaborate in more detail notification of personal data breaches. However,
the regulations are yet to be passed into law and are currently awaiting signature by the CS after which they shall be published in
the Kenya Gazette.
Under the Regulations, civil registration registries must also notify the DPC of any personal data breach. However, no timelines
are stipulated for this requirement. The Regulations also grant the data subject the power to notify the relevant civil registration
registry and the DPC where the data subject suspects that their personal data has been breached. This notification must be done
within 14 days of such a suspicion.
Mandatory Breach Notification
Yes. Please see above analysis under “Breach Notification”.
ENFORCEMENT
The DPC has the duty to ensure the implementation and enforcement of the Act.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kenya 583 | | | www.dlapiperdataprotection.com
The Data Protection (Compliance & Enforcement) Regulation, 2021 sets out the complaints handling procedures and
enforcement mechanisms in the event of non-compliance with the provisions of the Act. However, the regulations are yet to be
passed into law and are currently awaiting signature by the CS after which they shall be published in the Kenya Gazette.
Section 62 of the Act
In instances where the DPC is satisfied that any person has violated the provisions of the Act, he has the power to issue penalty
notices for up to a maximum of Kenya Shillings Five Million (approximately USD 50,000) or 1% of an undertaking’s annual turnover
the preceding year, whichever is lower.
In addition, any act which constitutes an offence under the Act where a penalty is not provided attracts a fine of up to Kenya
Shillings Three Million (approx. USD 30,000) or imprisonment for up to 10 years or both a fine and imprisonment.
ELECTRONIC MARKETING
Section 37 of the Act
The use of personal data for commercial purposes is prohibited unless the person undertaking this processing:-
has sought and obtained express consent from a data subject; or
is authorized to do so under any written law and the data subject has been informed of such use when collecting the data
from the data subject.
The Cabinet Secretary in charge of information, communication and technology may, in consultation with the DPC, develop
guidelines on the commercial use of personal data.
ONLINE PRIVACY
Kenyan law does not regulate on-line privacy. However, this may be prescribed in the regulations or future amendments to the
Act.
KEY CONTACTS
IKM Advocates
www.dlapiperafrica.com/en/kenya/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
William Maema
Partner
IKM Advocates
T +254 20 2773 000
wmaema@ikm.co.ke
Imelda Anika
Senior Associate
IKM Advocates
T +254 722 898 393
ianika@ikm.co.ke
https://www.dlapiperdataprotection.com
https://www.dlapiperafrica.com/en/kenya/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kenya 584 | | | www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kosovo 585 | | | www.dlapiperdataprotection.com
KOSOVO
Last modified 22 December 2021
LAW
The Law on Protection of Personal Data No.06/L-082 (“ ”) is the Kosovan law which entered into force and becameLPPD
applicable on 13 February 2019. The LPPD transposes the Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free
movement of such data (“ ”). GDPR
Scope of application
The LPPD has a wide scope of application. Namely, the LPPD applies to (Article 2):
processing activities by private as well as public bodies;
processing of personal data in diplomatic and consular offices, including any representative office of Kosovo abroad.
The LPPD has extraterritorial scope in that it applies to data controllers not established in Kosovo, which for the purposes of
processing personal data make use of automatic or other equipment in Kosovo; nevertheless, the LPPD will not apply if such
equipment is used only for transit purposes through the territory of Kosovo (Article 2(2)).
DEFINITIONS
Definition of Personal Data
“ ” is defined as Personal Data “any information related to an identified or identifiable natural person (‘data subject’).”
An identifiable natural person is defined widely as any person “who can be identified directly or indirectly, particularly by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person”.
Definition of Sensitive Personal Data
“ ” is defined as “Sensitive Personal Data personal data revealing ethnic or racial origin, political or philosophical views, religious
affiliation, union membership or any data related to health condition or sexual life, any involvement in or removal from criminal or offence
records retained in accordance with the law. Biometric characteristics are also considered sensitive personal data if the latter enable the
identification of a data subject in relation with any of the abovementioned circumstances in this sub-paragraph.”
Genetic data, biometric data and data concerning health are also considered as sensitive category of personal data within the
meaning of the LPPD.
NATIONAL DATA PROTECTION AUTHORITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kosovo 586 | | | www.dlapiperdataprotection.com
The competent national data protection authority in Kosovo is the Information and Privacy Agency (“ ”) which is established asIPA
an independent agency, responsible for the supervision of implementation of the legislation on personal data protection, as well as
access to public documents, in order to protect the rights and fundamental freedoms of natural persons in relation to the personal
data processing and ensuring the guarantee of access to public documents.
IPA is divided into two organisational structures, namely (Article 58 (4)):
access to public documents;
protection of personal data.
IPA is charged with the following tasks (Article 64 (1)):
supervision of the implementation of the LPPD;
advising of public and private bodies on issues related to data protection;
informing the public on issues and developments in the area of personal data protection;
promotion and support of fundamental rights;
deciding on complaints submitted by the data subjects;
advising the Assembly, the Government and other institutions and bodies on legislative and administrative measures with
regards to the protection of fundamental rights and freedoms of natural persons in terms of data processing;
carrying out inspections with regards to the implementation of the LPPD;
on its own initiative or upon request, providing opinions for public and private bodies, as well as publishing on any issues
related to personal data protection.
REGISTRATION
Considering that the LPPD transposes the GDPR, same as the latter, it provides meticulous and protective measures to which the
Controllers and the Processors must comply, and as such does not impose restrictive registration or notification requirements to
be undertaken with the IPA. Accordingly, in general, LPPD does not contain mandatory provisions requiring registration of
processing activities.
Nevertheless, controller and processor, including entities which process personal data based on the LPPD, are required to obtain
the certification to perform work related to personal data (Article 43(1)).
In order to obtain certification, controllers, processors and legal entities must meet the following minimum criteria (Article 43(3)):
possession of adequate knowledge in the field of persona data protection;
where required, meet the necessary international safety standards;
when legal entities engage a controller or processor or other personnel, the latter must be certified;
prove that the exercise of their function pertaining to the protection of personal data, does not result in a conflict of
interest.
In practice, the certification procedure is not applicable in Kosovo, and its implementation is subject to the adoption of a sub-legal
act (Article 43 (2)).
DATA PROTECTION OFFICERS
Controllers and Processors must appoint a data protection officer in the following cases (Article 37 (1)):
The processing is carried out by a public authority or body, except in cases of courts acting in their judicial capacity;
The core activities of the controller or the processor consist of processing operations which, by virtue of their nature,
their scope and/or their purpose, require regular and systematic monitoring of data subjects on a large scale;
The core activities of the controller or the processor consist of processing, on a large scale, of sensitive personal data, and
processing of personal data related to criminal convictions and offences.
COLLECTION & PROCESSING
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kosovo 587 | | | www.dlapiperdataprotection.com
LPPD adopts a wide definition of processing. Namely, processing includes any operation or set of operations performed to personal
data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or
(Article 3(1)(2)). destruction
For the purposes of LPPD, data controller is defined as any natural or legal person, public authority or other body which, alone or jointly
(Article 3(1) (11)), whereas the processor is defined as with others, determines the purpose and means of personal data processing a
(Article 3(1)natural or legal person, from public or private sector which processes personal data for and on behalf of the data controller
(14)).
When collecting and processing of personal data, Controllers must abide to the basic principles of data processing set forth in the
LPPD. Namely, personal data must be collected and processed based on the following principles (Article 4):
Principle of lawfulness, justice and transparency: personal data must be collected and processed in an impartial,
lawful and transparent manner, without infringing the dignity of the data subjects.
Principle of purpose of limitation: personal data must be collected and processed only for the specified, explicit and
legitimate purposes and cannot be further processed in a manner which is incompatible with the stated purposes.
However, in cases of further processing for archival purposes in the public interest, scientific or historical research, as well
as statistical purposes, will not be considered to be incompatible with the initial purpose.
Principle of data minimisation: the personal data should be adequate, relevant and limited to the purpose for which
they are further collected or processed.
Principle of accuracy: personal data should be kept accurate at all times, and kept up to date. In this line, every
reasonable measure should be taken to ensure that inaccurate personal data are rectified or erased without delay.
Principle of storage limitation: personal data may be stored insofar as necessary to achieve the purpose for which
they are processed or collected; after which, the personal data should be erased, deleted, destroyed, blocked or
anonymised, unless otherwise foreseen by another relevant law.
Principle of integrity and confidentiality: personal data should be processed in a manner that ensures appropriate
security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss,
destruction or damage, by using appropriate technical and organisational measures;
Principle of accountability: the controller is responsible for, and be able to demonstrate compliance with all the
principles mentioned above.
Legal basis for processing of personal data (Article 5)
With reference to the list above, processing of personal data shall be considered lawful if one of the following criteria is met:
The data subject has given consent for the processing of his/her personal data for one or more specific purposes;
Processing is necessary for the performance of a contract to which the data subject is a contracting party or in order to
take steps at the request of the data subject, prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which the controller is subjected;
Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of the official
authority vested in the controller;
Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except
where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which
require protection of personal data, in particular where the data subject is a child. This provision does not apply in cases
where the processing is carried out by public authorities in the performance of their tasks.
Where the legal basis for processing is not based on the consent of the data subject or on the relevant legislation in force, in
order to comply with the LPPD and lawfulness principle when processing personal data for purposes different from the initial
purpose of the data collection, the following should be considered (Article 5(2)):
Any link between the purposes for which the personal data have been collected and the purposes of the intended further
processing;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kosovo 588 | | | www.dlapiperdataprotection.com
The context in which the personal data have been collected, in particular regarding the relationship between the data
subjects and the controller;
The nature of personal data being processed, especially in cases of processing of sensitive personal data or data related to
criminal convictions;
Possible consequences for the data subjects of the intended further processing;
The existence of appropriate safeguards, which may include encryption or anonymisation.
Conditions for consent (Article 6)
Where the collection and processing of personal data is based on the consent of the data subject, the Controller must be able to
demonstrate that the data subject has consented to process his/her personal data. In this line, when consent is given as a written
declaration, the latter must be presented in a manner which is clearly distinguishable from other matters, in an intelligible and
easily accessible form, using clear and plain language (Article 6(2)).
Processing of special categories of personal data (Article 8)
As a principle, LPPD prohibits the processing of special categories of personal data. Special categories of personal data within the
meaning of the LPPD are used synonymously with sensitive categories of personal data.
Notwithstanding the above, exemptions to prohibition of processing of sensitive personal data include the following circumstances
(Article 6(3)):
The data subject has given his/her explicit consent to the processing of those personal data for one or more specific
purposes, except where the relevant legislation in force provides that the general prohibition on processing of sensitive
personal data cannot be lifted by the data subject;
Processing is necessary for the purpose of carrying out obligations and exercising specific rights of the controller or of the
data subject in the field of employment and social security and social protection law, in so far as it is authorised by the
relevant legislation in force or a collective agreement providing for appropriate safeguards for the fundamental rights and
the interests of the data subject;
Processing is necessary to protect the vital interests of the data subjects or other natural persons, where the data subject
is physically or legally incapable of giving consent;
If the data subject has made the sensitive personal data public, without limiting their use, in an evidenced or clear manner;
processing is necessary for the establishment, exercise or defence of legal claims, or whenever courts are acting in their
judicial capacity;
Processing is necessary for reasons of substantial public interest, on the basis of the relevant legislation;
Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working
capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of
health or social care systems and services on the basis of relevant legislation or pursuant to contracts with a health
professional when such data are processed by a professional or under his/her responsibility subject to the obligation of
professional secrecy pursuant to respective legislation, established rules by national competent bodies or by another
person subjected to professional secrecy;
Processing is necessary for reasons of public interest in the area of public health, such as protection against serious
cross-border threats to health, or ensuring high standards of quality and safety of healthcare and of medicinal products or
medical devices, on the basis of the relevant legislation;
Processing is necessary for archiving purposes in the public interest, as well as scientific or historical research purposes, or
statistical purposes.
Except in cases where the data subject has made his/her sensitive personal data public, special categories of personal data should
be protected in a special manner and be classified for the purpose of preventing unauthorised access or use (Article 8(4)).
Classification of sensitive personal data refers to marking of personal data to indicate their sensitive nature (Article 3(1) (4)).
TRANSFER
In the context of transfer of personal data, the LPPD addresses two situations:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kosovo 589 | | | www.dlapiperdataprotection.com
Transfer of personal data to countries and international organisations which ensure an adequate level of data protection,
and
Transfer of personal data to countries and international organisations which do not provide adequate level of data
protection.
With regards to the transfer of personal data to countries or international organisations that ensure proper and adequate level of
data protection, as per a Decision adopted by the IPA, the list of countries and international organisations providing proper data
protection, the latest being adopted on 13 September 2021 (“ ”) includes the following countries: Austria, Belgium,the Decision
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia,
Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Iceland, Lichtenstein,
Norway, and Switzerland.
Moreover, the LPPD expressly allows the IPA to rely on the decisions adopted by relevant EU bodies with regards to the transfer
of personal data when drafting the list of approved countries providing adequate level of personal data protection (Article 46.2).
Accordingly, based on the Decision, IPA considers some countries (including those outside the EU) ensuring proper level of data
protection, in accordance with the EU Commission Decisions (Argentine, Andorra, Canada, Guernsey, Isle of Man, Jersey, Faroe
Islands, Israel, New Zealand, Uruguay, Japan and United Kingdom).
With reference to the countries listed above, when transferring personal data, no special authorisation or permission is required
from the IPA, provided the data subject is aware and informed that the personal data are being transferred, as required by the
LPPD (Article 12.1.6).
In case of transfer to third parties located in other countries, such application will depend on whether such countries are included
in the list of the IPA Decision or decisions of the EU Commission.
With regards to the transfer of personal data to international organisations, the Decision of the IPA does not specifically identify
or address international organisations providing adequate level of personal data protection.
However, as a general principle, when deciding on the adequate level of data protection of another country or international
organisation, the IPA shall firstly take account of the following elements (Article 47.1):
The rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectorial,
including public security, defence, national security and criminal law and the access of public authorities to personal data,
as well as the implementation of such legislation, data protection rules, professional rules and security measures, including
rules for the onward transfer of personal data to another country or international organisation which apply within that
country or international organisation, case-law, as well as effective and enforceable data subject right and effective
administrative and judicial redress for the data subjects whose personal data are being transferred;
The existence and effective functioning of one or more independent supervisory authorities in the third country or to
which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data
protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their
rights and for cooperation with the supervisory authorities;
The international commitments the third countries or international organisation concerned has entered into, or other
obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or
regional systems, in particular in relation to the protection of personal data;
The type of personal data to be processed;
The purpose and duration of the proposed processing;
The legal arrangement in the country of origin and the recipient country, including the legal arrangement for protection of
personal data of foreign citizens;
The measures to secure personal data used in such countries and international organisations.
In addition, the above, in its decision-making process the IPA will particularly pay attention on (Article 47.2):
Whether the personal data to be transferred will be or are used solely for the purpose of which they are being
transferred, or whether the purpose may change only on the basis of a permission of the data controller supplying the
data or on the basis of personal consent of the data subject;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kosovo 590 | | | www.dlapiperdataprotection.com
Whether the data subject has the possibility of determining the purpose for which his or her personal data will be used, to
whom they are being transferred and the possibility of correcting or erasing inaccurate or out-dated personal data, unless
this is prevented due to the secrecy of the procedure by binding international treaties;
Whether the foreign data controller or data processor performs adequate organisational and technical procedures and
measures to protect personal data;
Whether there is an assigned contact person authorised to provide information to the data subject or to the IPA on the
processing of personal data transferred;
Whether the foreign data recipient may further transfer personal data, which may be done only on the condition that
another foreign data recipient to whom personal data will be disclosed ensures adequate protection of personal data also
for foreign citizens;
Whether effective legal protection is ensured for data subjects whose personal data were or are being transferred.
In accordance with the above, it is safe to assume that international organisations fulfilling the listed criteria will be considered as
providing adequate level of personal data protection. Additionally, international organisations deemed as providing adequate level
of personal data protection by the EU Commission, may also be accepted by the IPA (Article 46.2).
SECURITY
LPPD contains general provisions when it comes to safety of processing of personal data. Security of processing of personal data
refers to adopting appropriate organisational, technical and logical-technical procedures and measures in order to prevent any
accidental, deliberate unauthorised destruction, disclosure, modification, etc. Implementing security measures is carried out by
(Article 31 (1)):
Pseudonymization and encryption of personal data;
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident;
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
The above measures of security are not sector-specific and apply to the processing of personal data in general.
BREACH NOTIFICATION
Breach notification to the IPA
LPPD foresees a mandatory breach notification to the IPA by data controllers not later than seventy-two (72) hours after
becoming aware of the breach, unless the personal data breach is unlikely to risk the rights and freedoms of natural persons
(Article 33 (1) (1)). When the data controller fails to report the breach after the 72 hours of becoming aware of it, the notification
to IPA must also contain reasons on delayed notification.
With regards to the processors, the LPPD states that they should notify the breach to IPA (Article 33 (2)),without undue delay
however a specific deadline as in the case of controllers is not provided.
Breach notification to the Data Subject
The data subject is notified on any breach resulting in a high risk to his/her rights and freedoms, without undue delay (Article 34
(1)). The obligation to communicate the breach to the data subject will not apply, provided the following conditions are met
(Article 34 (3)):
the controller has implemented appropriate technical and organisational protection measures, and those measures were
applied to the personal data affected by the personal data breach, in particular those that render the personal data
unintelligible to any person who is not authorised to access it, such as encryption;
the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects
(i.e. natural persons) is no longer likely to materialise;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kosovo 591 | | | www.dlapiperdataprotection.com
it would involve disproportionate effort, whereby, there shall instead be a public communication or similar measure
whereby the data subjects are informed in an equally effective manner.
ENFORCEMENT
Filing a complaint at IPA
The data is subject is entitled to file a complaint with the IPA, while reserving the right to other administrative and judicial
remedies (Article 52). IPA is obliged to notify the data subject on the decision of the complaint, as well as inform the data subject
on the possibility of judicial remedy to uphold his/her rights with regards to violation of personal data (Article 52 (2)). However, if
IPA fails to inform the data subject on a decision with regards to the complaint within three (3) months of its submission, the data
subject shall be entitled to an effective judicial remedy (Article 53 (2)).
Filing a complaint against a Decision of the IPA
Every natural or legal person is entitled to file a complaint at the competent court against a binding decision of the IPA concerning
them, by initiating an administrative dispute before the competent court (Article 53).
Right to an effective judicial remedy against a controller or processor
Without prejudice of the right of the data subjects to issue a complaint with the IPA, each data subject shall have the right to an
effective judicial remedy in cases where he/she considers that the controllers or processors infringed the rights accorded by the
LPPD, as a result of processing of his/her personal data.
With regards to filing complaints as described above, the data subject has the right to engage/mandate a non-profit body,
organisation or association which has been established in accordance with the relevant law and is active in the field of personal
data protection, to submit the complaint, represent and receive compensation on behalf of the data subject (Article 55 (1)).
Fines
Violations of provisions of LPPD are considered as minor offences/misdemeanours (i.e. in Albanian) and are punishablekundervajtje,
by fines.
Fines for violation of provisions of LPPD, may be issued to legal persons, the authorised representative of the legal person or to
the person exercising independent activities.
The severity of the fine depends on the identity of the offender, the nature of the violation and the extent of the violation.
IPA is authorised to issue fines to legal persons or to a natural person exercising independent activities, in the amount ranging
from EUR 20,000 to EUR 40,000, if they fail to process personal data in accordance with LPPD, including but not limited to the
following violations (Article 92 (1)):
he/she processes personal data without any legal basis or without the consent of the data subject as provided by the
LPPD;
he/she entrusts an individual task relating to the processing of personal data to another person, without concluding a
written contract as required by the LPPD;
he/she processes sensitive personal data in violation of LPPD, or fails to provide the required protection to the sensitive
personal data.
A fine ranging from EUR 2,000 to EUR 4,000 shall be imposed on the responsible/authorised representative of the legal person or
to the person exercising independent activities (Article 92 (2)).
A fine ranging from EUR 1,000 to EUR 2,000 shall be imposed to the responsible person of a state body, in cases of minor
offences with regards to personal data (Article 92 (3)).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kosovo 592 | | | www.dlapiperdataprotection.com
A fine ranging from EUR 400.00 to EUR 1,000 shall be imposed to an individual, in cases of minor offences with regards to
personal data (Article 92 (4)).
Serious and major violations of legal provisions
In cases where IPA finds a serious and grave violation of the provision of processing of personal data, it may impose a fine ranging
from EUR 20,000 to EUR 40,000, or in cases of a company or enterprise it may impose a fine amounting to two percent (2%) of
the general turnover of the company/enterprise for the previous fiscal year in compliance with the GDPR (Article 105).
ELECTRONIC MARKETING
LPPD applies to direct marketing activities and to automated decision-making including profiling. LPPD allows data controllers to
use personal data obtained from publicly accessible sources or within the framework of lawful performance of activities for the
purposes of providing goods, services, employment or temporary performance of tasks, using postal services, telephone calls,
e-mails or other telecommunication means (Article 73 (1)). With regards to direct marketing, the data controllers may only use
the following personal data( Article 73 (2)):
personal name
permanent or temporary address
telephone number
fax number.
Other data may be processed only based on the data subject’s consent (Article 73 (2)).
A data subject is entitled to object at any time, the use of his/her personal data for the purposes of direct marketing (Article 74).
The objection of the data subject must be submitted in writing, and within eight (8) days of receiving the objection, the controller
must cease to use such personal data (Article 74 (1)).
ONLINE PRIVACY
There is no specific legislation with regards to on-line privacy (including cookies and location data). However, the LPPD considers
location data and online identifiers as personal data (Article 3 (1) (1)). Accordingly, the processing data which fall within the
definition of the LPPD, must be done in accordance with the provisions and principles of the LPPD.
Moreover, with reference to the location data, Law on Electronic Communications No.04/L-109 stipulates that when(“LEC”)
location data are being processed, such data may be processed the users have given theironly if they are made anonymous or
consent for processing. In this line, Article 23 of LPPD provides the following: “taking into account the nature, scope, context and
purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall
implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in
(Article 89 LEC).accordance with this Law”
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kosovo 593 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Tashko Pustina Attorneys
tashkopustina.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Floran Pustina
Partner
Tashko Pustina Attorneys
T + 383 38 71 77 55
floran.pustina@tashkopustina.com
Mrika Gashi
Senior Associate
Tashko Pustina Attorneys
T + 383 49 61 36 65
mrika.gashi@tashkopustina.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kuwait 594 | | | www.dlapiperdataprotection.com
KUWAIT
Last modified 21 February 2022
LAW
Kuwait does not have a specific personal data protection law. However recently the Communications and Telecommunications
Regulatory Authority (CITRA) issued Decision No. 42 of 2021 on Data Privacy Protection Regulation (“ ”) imposingRegulation
obligations in relation to data protection on Telecommunication Services Providers and related industry sectors.
The Regulation sets out detailed guidelines for the collection, storage, process and transfer of data by private sector and public
sector service providers. The most interesting part of the Regulation is the wider ambit of the definition of ‘Service Provider’,
which ranges from traditional telecommunications service providers to anyone who operates a website, smart application or cloud
computing service, collects or processes personal data or directs another party to do so on its behalf through information centres owned or
used by them directly or indirectly.
Exclusions to the obligations under the Regulation are for the collection and processing of private personal or family data by an
individual; or for security agencies for the purposes of controlling crimes and implementing state security measures.
This is in addition to the obligations under Law No. 20 of 2014 (the E-Commerce Law) which requires that client data relating to
positional affairs, personal status, health status, certain financial information and other personal information must be retained
privately and confidentially by the recipient and its employees. Such data may not be disclosed without client consent or a court
order.
DEFINITIONS
Definition of personal data
Kuwaiti law does not define personal data. However, is considered to include at least personal information about personal data
a person’s:
Positional affairs
Personal status
Health status, or
Elements of financial disclosures
These elements are undefined, but broadly construed to encompass any personal information relating to the specified data
element.
Definition of sensitive personal data
Kuwaiti law does not define sensitive personal data.
NATIONAL DATA PROTECTION AUTHORITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kuwait 595 | | | www.dlapiperdataprotection.com
There is no national data protection authority in Kuwait.
REGISTRATION
Not required.
DATA PROTECTION OFFICERS
Not required.
COLLECTION & PROCESSING
The Regulation requires that prior to the provision of service, the service providers must:
Provide all the information about the services to be provided and the terms of service in easy language both in English and
Arabic;
Clarify the purpose of collecting, and method of use of such data to the requester of service; and
Obtain consent of the requester of service for collection and processing of data and his knowledge and acceptance of all
conditions, obligations and provisions for data collection and processing.
Beside the Regulation, the E-Commerce Law includes a general obligation prohibiting Kuwaiti governmental bodies, agencies,
public institutions, companies, non-governmental bodies, or employees thereof from collecting or processing any information in an
illegal manner without the consent of the concerned person or his or her representative.
TRANSFER
The E-Commerce Law similarly includes a general obligation prohibiting Kuwaiti governmental bodies from transferring any
information in an illegal manner without the consent of the concerned person or his or her representative.
SECURITY
No specific provisions.
BREACH NOTIFICATION
No specific provisions.
ENFORCEMENT
The Regulation does not provide specific penalties for breach of prescribed obligations but instead it prescribes to impose
penalties and fine as per the CITRA Law, which lays down a range of punishments including imprisonment for a term from one to
five years and fine ranging from five hundred Kuwaiti Dinars to twenty thousand Kuwaiti Dinars or a combination thereof.
Violations of the E-Commerce Law are punishable by a maximum of three years imprisonment, and fines of no less than
KWD5,000 (US$17,500) for anyone who discloses personal information without proper consent or a court order. The
E-Commerce Law also provides for confiscation of tools, programs or devices used for unauthorized disclosure.
ELECTRONIC MARKETING
No specific provisions.
ONLINE PRIVACY
No specific provisions.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kuwait 596 | | | www.dlapiperdataprotection.com
KEY CONTACTS
NEN International Attorneys & Legal Consultants
nenint.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Kashif Syed
Legal Director
NEN International Attorneys & Legal Consultants
T + 965 9696 2117
syed@nenint.com
https://www.dlapiperdataprotection.com
https://nenint.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kyrgyzstan 597 | | | www.dlapiperdataprotection.com
KYRGYZSTAN
Last modified 21 February 2022
LAW
The Constitution of the Kyrgyz Republic prohibits collection, storage, use and dissemination of confidential information, private life
information is not allowed without consent confidential/private life information subject.
More detailed regulation of personal data may be found in the Law of the Kyrgyz Republic on Personal Data No.58 dated 14 April
2008 (‘The Law on Personal Data’), which entered into force on 18 April 2008. The most recent amendments were made to the
Law on Personal Data on 29 November 2021. These amendments states that rules of processing of personal data for purposes of
protection of the rights of participants in criminal proceedings is determined by the Cabinet of Ministers of the Kyrgyz Republic.
The Law on Personal Data is directed at legal regulation of work with personal data based on the standard international norms
and principles according to the Constitution of the Kyrgyz Republic and laws of the Kyrgyz Republic is necessary first of all for
assuring human personal rights and freedoms relating to the personal data gathering, processing and use.
The Law on Personal Data regulates relations arising at work with personal data, irrespective of the applied information
processing means, except the work realization with the personal data, with its further transfer to the third persons.
Additional requirements to collection, use and transfer of personal data can be found in the following normative-legal acts:
Procedure for Obtaining Consent of Personal Data Subject on Collection and Processing of its Personal Data, the
Procedure and Form of Notification of Personal Data Subject on Transfer of their Personal Data to a Third Party
approved by the Regulation of the Government of the Kyrgyz Republic dated 21 November 2017 # 759;
Requirements for Ensuring the Security and Protection of Personal Data During their Processing in Personal Data
Information Systems, the Implementation of Which Ensures the Established Levels of Protection of Personal Data
approved by Regulation of the Government of the Kyrgyz Republic dated 21 November 2017 # 760.
DEFINITIONS
The Law on Personal Data provides that information recorded on a material carrier relating to a particular person, which identifies
a specific person or which could be used to identify a specific person, directly or indirectly, by reference to one or more factors
related to biological, economic, cultural, civil or social identity shall qualify as ‘ ‘. personal data
Personal data include:
Biographical and identification data
Personal characteristics
Information on marital status
Financial status
Health data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kyrgyzstan 598 | | | www.dlapiperdataprotection.com
There is no clear definition of Sensitive Personal Data. Under the provisions of the Law on Personal Data, all personal data is
confidential. It should be noted that the Holder (Owner) of personal data (ie the data controller) and the data processor are
obliged to ensure protection of personal data to prevent:
Unauthorized access
Blocking
Transmission
As well as its accidental or unauthorized destruction
Alteration or loss
Provide guarantees in respect of technical security measures and organizational measures regulating processing of personal
data
However, confidentiality of personal data does not apply in cases of anonymisation or on request of the individual to which the
personal data relates.
NATIONAL DATA PROTECTION AUTHORITY
The President of the Kyrgyz Republic by Decree No. 391 dated as of 14 September 2021 announced creation of the State Agency
for Protection of Personal Data. However, currently neither regulations and by-laws of the new Agency have been adopted, nor
authorized officer have been appointed.
REGISTRATION
The Law on Personal Data obliges Holders (Owners) of Personal Data Arrays to register with the competent state authority,
however, to the best of our knowledge, none of Holders (Owners) of Personal Data Array has been registered to date, in
particular, due to the fact that such regulator does not exist.
According to the Law on Personal Data within the registration procedure the following must be provided:
Name and details of Holders (Owners) of Personal Data Arrays (ie data controller)
Purposes and procedures of collection and processing of personal data
Retention and terms of storage
List of collected personal data
Categories or groups of personal data bearers
A source of collecting of personal data
Procedure of notification of data subjects on collecting and possible transfer of personal data
List of measures regarding the regime of confidentiality and safety of personal data
Authorized person responsible for working with personal data
Receiving party or category of receiving parties of personal data
Proposed transfer of personal data outside of the Kyrgyz Republic
DATA PROTECTION OFFICERS
Under the Law on Personal Data, Holders (Owners) of personal data (ie the data controller) must indicate in its registration the
name and contact details of the person that is responsible for the work with personal data. However, the Law on Personal Data
does not contain any direct obligations to appoint a Data Protection Officer.
COLLECTION & PROCESSING
One of the basic principles of dealing with personal data is that personal data must be collected for accurately pre-defined, stated
and legal purposes and must not be further processed in any manner incompatible with those purposes.
Processing of personal data is permitted in the following cases:
The data subject has given its consent
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kyrgyzstan 599 | | | www.dlapiperdataprotection.com
If it is necessary for public authorities, local authorities within their competence established by laws of the Kyrgyz Republic
If it is necessary to achieve the legitimate interests of Holders (Owners)
When implementation of these interests does not preclude the exercise of rights and freedoms of data subjects with
regard to the processing of personal data
When it is necessary to protect the interests of the data subject
If personal data are processed solely for the purposes of journalism or for the purpose of artistic or literary works
TRANSFER
The Law on Personal Data allows transfer of personal data both within the country and abroad.
Transfer of personal data within the Kyrgyz Republic
Data subject must be informed (in any form within a week)
Personal data may be transferred without consent of the data subject in
the following cases:
Extreme necessity in order to protect the interests of the data subject
Upon request of state authorities, local authorities, if the requested list of personal data fall under the
competence of the requesting authority
Under any other case established by laws of the Kyrgyz Republic
Transfer of personal data outside the Kyrgyz Republic
The cross-border transfer is carried out on the basis of an international treaty between the countries, under which the
receiving party must provide adequate protection of the personal data
Consent of the data subject has been obtained, or
Personal data may be transferred to the countries that do not provide the adequate level of protection on certain
conditions:
With consent of the data subject
If the transfer is necessary to protect the data subject’s interests, or
If personal data are contained in the Public Personal Data database
When transferring personal data to the global information network (internet, etc) the Holder of the personal data (ie the data
controller) transferring such data, shall provide the necessary means of protection with regard to the confidentiality of the
information being transferred.
SECURITY
When processing personal data the Holder (Owner) of personal data (data controller) and processor shall:
Prevent access of unauthorized persons to the equipment used for personal data processing (access control)
Prevent unauthorized reading, copying, modification or removal of data media (control of data media use)
Prevent unauthorized recording of personal data and alteration or destruction of stored personal data (entry control) and
enable backdated determination of when, by whom and which personal data have been altered
Ensure security of data processing systems, designed to transfer personal data irrespective of the data involved (control of
data transmission means)
Ensure that each user of a data processing system has only has access to the personal data which it is authorized to
process (controlled access)
Enable backdated determination of when, by whom and which personal data have been entered into the data processing
system (input control)
Prevent unauthorized reading, copying, alteration and destruction of personal data during the transmission and
transportation of personal data (transport control)
Ensure the confidentiality of the information in the course of personal data processing
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Kyrgyzstan 600 | | | www.dlapiperdataprotection.com
BREACH NOTIFICATION
If the Holder (Owner) of personal data (data controller) transfers the personal data without consent of the data subject to a third
party they must inform the data subject within a week.
ENFORCEMENT
Although the Law on Personal Data has been adopted, there is no enforcement practice of its provisions in place. However, since
responsible agency has been appointed (State Agency for Protection of Personal Data), enforcement practice may change after the
agency is fully operational.
ELECTRONIC MARKETING
Sending of electronic communications for advertising is generally subject to prior express consent of the recipient.
ONLINE PRIVACY
The Law on Electrical and Postal Communication establishes that all databases of telecommunication operators must be
confidential and that telecom operators are obliged to keep communication data confidential.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Begaliev Kerim
Partner
Centil Law Firm
T +996 312 919780
kerim.b@centil.law
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Laos 601 | | | www.dlapiperdataprotection.com
LAOS
Last modified 14 December 2021
LAW
In Laos, the comprehensive regulatory framework on data privacy focuses on data in its digital form – electronic data – and none
other.
From 2012, Laos has introduced this framework by circulating relevant information only. This trend has accelerated since 2015
with the publication of the Law on Cyber Crime. Issues pertaining specifically to the protection of electronic data are regulated by
the Law on Electronic Data Protection and the subsequent Instructions on the Implementation of the Law on Electronic Data
Protection, as follows:
Law on Electronic Transactions (2012)
Law on Cyber Crime (2015)
Decision on the Penalties of the Law on Cyber Crime (2017)
Law on Electronic Data Protection (2017)
Penal Code (2017)
Instructions on the Implementation of the Law on Cyber Crime (2018)
Instructions on the Implementation of the Law on Electronic Data Protection (2018)
In addition, for both professionals or non-professionals, the authorities have provided a series of guidelines of best practices for
the use of software and hardware, social media platforms, and better protection of electronic data.
The two main pieces of regulation relating to data privacy are the Law on Electronic Data Protection and the Instructions on the
Implementation of the Law on Electronic Data Protection.
DEFINITIONS
Definition of Personal Data
Article 3, Section 12 of the Law on Electronic Data Protection defines “personal data” to mean electronic data of an individual,
legal entity, or organization.
Definition of Sensitive Personal Data
The Law on Electronic Data Protection aims to protect any type of electronic data. The law categorizes electronic data roughly
into three types: (i) general data, (ii) sensitive data (a literal translation would be “specific data”), and (iii) prohibited data.
Depending on its nature, personal data may fall under one these three categories. Accordingly, there is no “sensitive personal
data” so to speak. Given this, personal data may fall under the category of sensitive data.
Sensitive data is information “that an individual, legal entity, or organization cannot access, use, or disclose if [they] have not
received consent from the Information Owner, or the relevant organization” (Article 10).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Laos 602 | | | www.dlapiperdataprotection.com
A list of examples of sensitive data is provided in the Instructions on the Implementation of the Law on Electronic Data (2018),
which includes “information on customers, financial information, CV, history of medical treatment, race, religion, project plan,
budget plan, official servant secret, etc.” (Section 3). The list is not exhaustive, and there is no official guidance to anticipate what
other data may be considered sensitive data apart from these examples.
NATIONAL DATA PROTECTION AUTHORITY
The Law on Electronic Data Protection (2017) delegates the Ministry of Post and Telecommunications (MPT) to handle matters
related to the protection of electronic data. The MPT is the main administration in charge of issues pertaining to electronic data
privacy across the country. The MPT is assisted by its departments located in each of the 17 provinces that compose Laos.
In its tasks to analyze and respond to digital issues and threats, the MPT is assisted by the Lao Computer Emergency Response
Team (LaoCERT), which was established in 2012. LaoCERT is under the direct supervision of the MPT and is the agency on the
front lines that receives reporting of security breaches from individuals or legal entities operating in Laos and/or complaints of
offenses committed online.
REGISTRATION
There is no registration required for Data Protection Officers in Laos, or for any legal entities or individuals with a national data
protection authority, as the case may be in other jurisdictions.
DATA PROTECTION OFFICERS
Under the Law on Electronic Data Protection, there is no data protection officer so to speak. The law introduces the idea that a
team or an employee is required to supervise the protection of sensitive data; no information is provided on the duties and rights
of such team or employee, or their scope of work. Moreover, the team or employee in charge of the protection of sensitive data
is not required to register with any authority.
COLLECTION & PROCESSING
The collection of information is defined under the Instructions on the Implementation of the Law on Electronic Data Protection as
“the compiling of information in a database…for the convenience of access, monitoring, and use…”.
The Law on Electronic Data Protection speaks literally of “administration” of data. Administration of electronic data refers to the
management and arrangement of data, which includes the collection, copying, submission, receipt, maintenance, and destruction of
electronic data. This administration of data is carried out by the Data Administrator, which is defined as an “individual, legal entity,
or organization which has the duty to administrate electronic data, such as: a Ministry, an Internet Data Center, a
Telecommunications Service Provider, an Internet Service Provider, or a Bank.” Apart from this definition, and the examples
provided in the law, the Lao regulatory framework does not provide official guidance on who may or may not fall under the
definition of Data Administrator.
By law, all data, general or sensitive, requires consent from the Information Owner to be collected. However, there is no
information on how this consent may be collected.
Information Owner is defined as the individual, legal entity, or organization who/which is the owner of the electronic data. In this
regard, the law does not necessarily identify the Information Owner as an individual only, or an individual who may be identified
according to personal data that relates to him/her. The law only provides that the Information Owner is the entity that “owns”
the information.
Sensitive data is more regulated as it requires the approval from the Information Owner for the access, use, and disclosure of
sensitive data. At the time of the collection, the Information Owner must be informed of:
the identity of the Data Administrator
the purpose of the collection of the information
the type of information that will be collected
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Laos 603 | | | www.dlapiperdataprotection.com
the rights of the Information Owner, which include:
the right to amend the information provided
the right to stop the sending or transfer of information to third parties
the right to delete the information collected per request, or at the time that the purpose of the collection of the
information expires.
Also, the Data Administrator and the Information Owner have the duty to ensure that the information provided is correct – it
does not contravene local regulations, and does not affect the country’s socio-economic development, national stability, or social
order.
TRANSFER
The Law on Electronic Data Protection provides that the transfer of data must abide by the following requirements:
the Information Owner has given its consent for the transfer of the electronic data, and the individual or legal entity
transferring the electronic data ensures that the receiving entity can protect the electronic data properly
documents concerning important information, such as financial, banking, investment, and accounting information, must
be encrypted
information which is transferred or submitted must not be distorted
the transfer must be in line with the agreement between the sender and the recipient
submission or transfer of data must be stopped when the receiver of the data does not intend to receive the
information anymore.
The law does not address whether the requirements above should be applied to all individuals or entities, or only to the Data
Administrator.
In addition, the Law on Electronic Data Protection emphasizes that any individual, legal entity, or organization contemplating
sending or transferring personal data or official data (pertaining to governmental bodies) out of Laos must obtain the consent of
the Data Administrator, and ensure that such submission or transfer does not contravene the Lao laws without further details.
SECURITY
Generally, the Law on Electronic Data Protection requires the Data Administrator to ensure the following regarding the
storage/maintenance of electronic data:
there is a team or employee responsible for the administration of sensitive data
there is, among other things, an adequate system to store or use the data, and a data safeguard system to protect the data
there is a backup system for destroyed or deleted data
information is recorded by way of another appropriate method (e.g., paper, magnetic storage), and the appropriate
measure is used to guarantee good maintenance
a risk assessment is conducted on the protection system at least once a year, and any failures uncovered during the
inspection are corrected
access to the system is inspected, and protected from any intrusion, virus, or other risks
any adverse events that have occurred or are about to occur are immediately solved
the information that is under the responsibility of the Data Administrator is protected.
BREACH NOTIFICATION
There is no mandatory breach notification in Laos. Individuals and legal entities facing a breach may make a notification, but to seek
assistance and recommendations on how to solve the breach, and not for the sake of transparency.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Laos 604 | | | www.dlapiperdataprotection.com
There is no sanction for not notifying a data breach under the current legal framework.
ENFORCEMENT
The enforcing authorities with regard to electronic data protection are:
Ministry of Post and Telecommunications (MPT)
Economic Police, and
Lao People’s Court.
LaoCERT does not have by law the authority to issue fine or sanctions.
ELECTRONIC MARKETING
The Decision on Protection of Consumers Using Telecommunications and Internet Services (2020) regulates unsolicited
commercial communications (e.g., phone calls or messages) to consumers, with the following restrictions:
such calls and messages are prohibited from 8:00 to 17:00, Monday to Friday
no more than 10 unsolicited commercial communications are allowed per month, per individual
no more than two unsolicited commercial communications are allowed per day
The decision provides that any individual or legal entity intending to use unsolicited commercial communications for their goods
or services must receive the consent of the telecommunications or internet service provider of the prospects they plan to call.
The decision does not offer guidance on how the relevant service provider’s consent may be obtained. Rather, the decision
requires the telecommunications and internet service providers to ensure that unsolicited communication commercials are made
by authorized persons. In addition, the decision delegates these providers to monitor the distribution of unsolicited commercial
messages, thereby ensuring that these limits are not breached.
Consumers who receive unsolicited commercial communications can file a complaint with the MPT and resolve subsequent
disputes with the relevant service provider. The decision also notes that consumers can voice complaints or seek guidance via one
of the following official hotlines:
1510 – Ministry of Industry and Commerce
1516 – Prime Minister’s Office
156 – National Assembly
The is also expected to become an available channel for complaints in the future.Ministry of Industry and Commerce’s website
ONLINE PRIVACY
As provided, the collection of data must receive the consent of the relevant Information Owner.
On the other hand, based on the main laws and regulations above, it is difficult to anticipate the category of data cookies and
location data according to the ambiguous definitions of general data, sensitive data, and personal data.
https://www.dlapiperdataprotection.com
http://www.lcp.gov.la/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Laos 605 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dino Santaniello
Head of Office
Tilleke & Gibbins Lao Co., Ltd
T +856 21 262 355
dino.s@tilleke.com
Saithong Rattana
Attorney-at-Law
Tilleke & Gibbins Lao Co., Ltd
T +856 21 262 355
saithong.r@tilleke.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Latvia 606 | | | www.dlapiperdataprotection.com
LATVIA
Last modified 21 February 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However,
there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own
domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the
Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The Personal Data Processing Law has been approved by the parliament and came into force on July 5, 2018. This law
provides legal prerequisites for the implementation of the GDPR in Latvia and replaced the current Personal Data
Protection Law.
DEFINITIONS
Personal data is defined as ” ” (Article 4). A low bar is set forany information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Latvia 607 | | | www.dlapiperdataprotection.com
(Article 10).convictions and offences
The GDPR is concerned with the of personal data. Processing has an extremely wide meaning, and includes any set ofprocessing
operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a or a . The controller is the decision maker, the person who “controller processor
” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The Personal Data Processing Law reproduces the definitions of Article 4 of GDPR, and generally uses the same
terminology as the GDPR.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of . Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called lead supervisory authority (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other concerned authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
According to The Personal Data Processing Law the Data State Inspectorate (DSI) has become an independent institution,
however, still supervised by the government.
In addition to the tasks provided by the GDPR, The Personal Data Processing Law provides for the DSI to perform the
following tasks:
Verifying the compliance of the processing of personal data with the requirements of regulatory enactments when
the controller is prohibited by law from providing information to the data subject, after receiving a relevant
application from the data subject
Investigating administrative offenses
Participating, in accordance with its competence, in the drafting of laws and policies, and giving an opinion on draft
laws and policy planning documents prepared by other institutions
Providing opinions on the compliance of the personal data processing systems created by state and local
government institutions with the requirements of regulatory enactments
Monitoring the circulation of information society services in relation to the personal data protection
monitoring the operation of credit information offices
Issuing a license to credit information offices
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Latvia 608 | | | www.dlapiperdataprotection.com
Cooperating with the supervisory authorities of foreign personal data protection, information disclosure and
access control, and the prohibition of sending commercial communications
Providing the transferring of a data subject’s request for information concerning themselves to Eurojust and
Europol
Representing Latvia in international organizations and activities in the field of data protection
Carrying out studies, analyzing situations, making recommendations, opinions and informing the public about
current issues in the areas of its competence
Performing other tasks prescribed by regulatory enactments
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
Given that the GDPR does not provide for the registration of processing personal data, registries and systems will no
longer exist. Pre-recorded data will remain as archived information about past activities.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale, or
Its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have expert knowledge (Article 37(5)) of data protection law and practices, though it is possible to outsource the
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
To inform and advise on compliance with GDPR and other Union and Member State data protection laws
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Latvia 609 | | | www.dlapiperdataprotection.com
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
The Personal Data Processing Law provides no derogation from the requirements of the GDPR regarding DPO. The
Personal Data Processing Law provides the rules for examining an individual’s knowledge in data protection and obtaining
the status of DPO. The Personal Data Processing Law allows data controllers and processors to appoint as a DPO any
person who has the qualifications under the requirements of the GDPR.
The October 6, 2020 Cabinet Regulation No 620 “Data Protection Specialist Qualification Regulation” (Regulation No
) determines in detail the application procedure, the content and procedure of the qualification examination and620
payment procedures for organizing the qualification exam. However, the qualification examination is not mandatory.
The Regulation No 620 does not set mandatory education requirements. A person who wishes to take the qualification
exam, applies the Data State Inspectorate and pays the examination fee. After the person has passed the qualification
exam, they are included in the list of the qualified DPOs maintained by the Data State Inspectorate and published on its
website.
Regulation No 620 also provides for the maintenance of professional qualifications for DPOs who already have been
included in DPOs’ list. To maintain their professional qualifications, the DPOs must participate in the training in personal
data protection or another field related to the performance of the DPO’s duties.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (purpose limitation principle)
Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
Accurate and where necessary kept up-to-date (accuracy principle)
Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (storage limitation principle)
Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (integrity and confidentiality principle)
The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle).
Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and
appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Latvia 610 | | | www.dlapiperdataprotection.com
(Article 6(1)):
With the consent of the data subject (where consent must be ” ” and must befreely given, specific, informed and unambiguous,
capable of being withdrawn at any time)
Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract
Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies)
Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller
Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
With the explicit consent of the data subject
Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement
Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent
In limited circumstances by certain not-for-profit bodies
Where processing relates to the personal data which are manifestly made public by the data subject
Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in
their legal capacity
Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards
Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices
Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1)
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to re-purpose personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Latvia 611 | | | www.dlapiperdataprotection.com
Any link between the original purpose and the new purpose
The context in which the data have been collected
The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions
are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
The possible consequences of the new processing for the data subjects
The existence of appropriate safeguards, which may include encryption or pseudonymization
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
The identity and contact details of the controller
The data protection officer’s contact details (if there is one)
Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing
The recipients or categories of recipients of the personal data
Details of international transfers
The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability
Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
The consequences of failing to provide data necessary to enter into a contract
The existence of any automated decision making and profiling and the consequences for the data subject
In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Latvia 612 | | | www.dlapiperdataprotection.com
a.
b.
c.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
Necessary for entering into or performing a contract
Authorized by EU or Member State law
The data subject has given their explicit ( opt-in) consentie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The Personal Data Processing Law contains provisions on specific treatment related to the exercise of other fundamental
rights of the individual, providing derogations relating to the data processing for archiving purposes, scientific or historical
research purposes, statistical purposes, and the processing of national classified data.
The Personal Data Processing Law provides specific rules and exceptions regarding the journalistic, academic, artistic and
literary processing of personal data. When processing data for these purposes, it is necessary to assess the balance
between the right to privacy and freedom of expression.
The Personal Data Processing Law also provides for specific rules regarding the processing of data in the official
publication. It states that the data published in the official publication is deleted by the publisher on the basis of a decision
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Latvia 613 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
of the DSI or a decision confirming that such publication does not comply with the provisions of the GDPR.
The consent of a child for the use of information society services is deemed lawful where the child is at least 13 years old,
meaning that Latvia has chosen the lowest threshold regarding the age of the child. Where the child is below the age of 13
years, such consent will be lawful only if and to the extent that consent is given or authorized by the holder of parental
responsibility over the child.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules and standard contractual clauses. The GDPR has removed
the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of
standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
Explicit informed consent has been obtained
The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person
The transfer is necessary for important reasons of public interest
The transfer is necessary for the establishment, exercise or defense of legal claims
The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
The transfer is made from a register which according to EU or Member State law is intended to provide information to
the public, subject to certain conditions
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
The Personal Data Processing Law imposes a limitation period with respect to a data subject’s rights to information on the
recipients or categories of recipients to whom the data have been transferred: the data subject has the right to receive
information about transfers within the last 2 years. The Personal Data Processing Law does not provide any other
derogations or additional requirements to the GDPR regarding the transferring of the data.
SECURITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Latvia 614 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing
The Personal Data Processing Law does not provide any derogations or additional requirements to the GDPR regarding
security.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The Personal Data Processing Law does not provide any derogations or additional requirements to the GDPR regarding
breach notification duties. The Data State Inspectorate has created a template for the data breach notification available on
its webpage (only in Latvian).
ENFORCEMENT
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Latvia 615 | | | www.dlapiperdataprotection.com
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define undertaking and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinized carefully to understand the interpretation of undertaking. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called look through liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
The basic principles for processing including conditions for consent
data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
Any person who has suffered material or non-material damage as a result of a breach of the GDPR has the right to receive
compensation (Article 82(1)) from the controller or processor. The inclusion of non-material damage means that
individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Latvia 616 | | | www.dlapiperdataprotection.com
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
Enforcing the decisions provided for in Article 58 of the GDPR in relation to the imposition of a legal obligation, DSI will
apply the Administrative Procedure Law. Under the Personal Data Processing Law, DSI is entitled to impose
administrative sanctions to the legal entity governed by public law, e.g. state institutions. The liable official for unlawful
activities with personal data and failure to comply with the obligations of the controller or processor may be punished up
to EUR 1000.
The Personal Data Processing Law imposes a limitation period of 5 years for civil claims on the reimbursement of losses
caused by the violations of the GDPR.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The Personal Data Protection Law does not specifically address (electronic) marketing. However the use of personal data for
marketing purposes falls within the scope of the law. The provisions on electronic marketing are also included in the Law on
Information Society Services, which requires prior express consent of the person before using his or her contact information (eg,
email address, phone number) for electronic marketing purposes. This is also stressed in the guidelines provided by DSI.
According to the provisions of the Law on Information Society Services no consent is required if the data has been obtained in the
course of the sale of goods or provision of services, occurs for the same or similar goods or services, the recipient is able to
decline easily and with no costs for the use of his or her personal data and the recipient has not previously declared that he or she
does not want to be contacted.
With the Amendments of April 19, 2017, the Law on Information Society Services also contains procedures for submitting and
reviewing complaints which states that the end user has the right to submit any complaints regarding the provision of the
electronic communications services (thus also possibly any data protection issues), firstly, to the relevant electronic
communications merchant and afterwards to the Public Utilities Commission.
The Personal Data Processing Law does not provide any derogations or additional requirements to the GDPR regarding
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Latvia 617 | | | www.dlapiperdataprotection.com
electronic marketing.
ONLINE PRIVACY
Specific issues of online privacy are regulated in the Electronic Communications Law and the Law on Information Society Services.
The Law on Information Society Services states that the storage of information received, including cookies or similar technologies,
is permitted, provided that the consent of the person has been received after he or she has received clear and comprehensive
information regarding the purpose of intended storage and data processing. Therefore, with regard to cookies Latvian law
supports an opt in approach.
As to location data, the Electronic Communications Law permits the processing of location data only to ensure the provision of
electronic communications services or if the express prior consent is obtained. The person whose location data is being processed
has the right to revoke his or her consent or to suspend it at any time, notifying the relevant electronic communications merchant
of this revocation or requested suspension.
The processing of location data for other purposes without the consent of a user or subscriber is permitted only if it is not
possible to identify the person utilizing such location data or if the processing of location data is necessary for emergency services.
The Personal Data Processing Law does not provide any derogations or additional requirements to the GDPR regarding
online privacy.
KEY CONTACTS
Sorainen
www.sorainen.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Ieva Andersone
Senior Associate, Head of Commercial & Regulatory Practice Group in Latvia
Sorainen
T +371 67 365 000
ieva.andersone@sorainen.com
Andis Burkevics
Senior Associate
Sorainen
T +371 67 365 007
andis.burkevics@sorainen.com
https://www.dlapiperdataprotection.com
http://www.sorainen.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lebanon 618 | | | www.dlapiperdataprotection.com
LEBANON
Last modified 28 December 2021
LAW
Law No. 81/2018 relating to Electronic Transactions and Personal Data Law (the “ ”).Law
DEFINITIONS
Definition of Personal Data
Personal Data is defined as any information relating to an individual which helps identifying such individual, either directly or
indirectly, including by way of comparing or combining information of multiple sources.
Definition of Sensitive Personal Data
The Law brings no definition of sensitive personal data per se. However, it states that the processing of personal data falling within
specific categories shall only be processed under a license from the Ministry of Economy and Trade (exceptions apply).
The Law does not attribute a particular name for such category of data, simply listing specific data elements falling within the above
defined category, as follows:
those related to the external and internal security of the State, under the terms of a joint decision of the Ministers of
National Defence and Interior and Municipalities;
those related to criminal offences and judicial proceedings of various natures, under the terms of a decision by the
Minister of Justice;
those related to health, genetic identity, sexual life of individuals, under the terms of a decision of the Minister of Public
Health.
NATIONAL DATA PROTECTION AUTHORITY
There is no National Data Protection Authority in Lebanon.
The Ministry of Economy and Trade is responsible for issuing permits and licenses for the processing of personal data when
required under the Law.
REGISTRATION
Any person or entity wishing to process personal data must file a declaration before the Ministry of Economy and Trade obtaining
a permit issued against receipt of such declaration, unless:
when the data subject has agreed in advance to the processing of their personal data.
when processed by public authorities, within their prerogatives;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lebanon 619 | | | www.dlapiperdataprotection.com
when processed by Non-Profit Organizations in relation to the members and clients thereof, within the scope of the
normal and legal exercise of their functions;
when processed for the purpose of keeping dedicated records required under the provisions of applicable laws and
regulations, for the purpose of informing the public and which data can be accessed by any person having a legitimate
interest;
when processed by educational institutions in relation to their students and pupils, for educational or administrative
purposes;
when processed by institutions, commercial companies, trade unions, associations and liberal professionals in relation to
their employees and members, within limits and for the needs of exercising their activities in a legal manner;
when processed by commercial entities, associations, organizations, trade unions and liberal professionals in relation to
their clients and customers, within limits and for the needs of exercising their activities in a legal manner.
DATA PROTECTION OFFICERS
The Law brings no definition of data protection officer.
COLLECTION & PROCESSING
Processing of Personal Data is defined as any action or set of actions performed on the data regardless of the medium used,
including data collection, recording, organization, storage, adaptation, modification, extraction, reading, use, transmission, copy,
dissemination, deletion, destruction or otherwise disposing of it.
The Law states that personal data shall be collected faithfully and for legitimate, specific, and explicit purposes. In addition, the data
must: be appropriate; not exceed the set purposes; be correct and complete; and remain on a daily basis as relevant as possible.
Data controllers, or their representatives, have an obligation to inform data subjects of the following:
the identity of the data controller or the identity of its representative;
the purposes of the processing;
the mandatory or optional nature of the raised questions;
the consequences of non-response;
the persons to whom the data is to be sent; and
the right to access and correct information, as well as the means provided for the same.
TRANSFER
The Law is silent on cross-border data transfers.
SECURITY
The Law does not mandate specific technical security measures. Appropriate security standard is applicable.
The Law requires the data processor to take all measures, in light of the nature of the data and the risks resulting from processing
thereof, in order to ensure the integrity and security of the data and to protect the same against being distorted, damaged or
accessed by unauthorized persons.
BREACH NOTIFICATION
Not applicable.
ENFORCEMENT
Data subjects are entitled to resort to the competent courts, especially to the Judge of Expedite Matters, for matters related to
enforcement of their rights under the Law.
There are no administrative enforcement actions.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lebanon 620 | | | www.dlapiperdataprotection.com
Public prosecutor and/or data subjects can start legal proceeding for enforcement of the Law.
ELECTRONIC MARKETING
It is forbidden to communicate unsolicited marketing and advertising emails (SPAM) using a real person’s name and address, unless
that person has consented to such type of advertising, except for cases where the sender of the unsolicited advertisement has
legally obtained the address of such individuals through a previous engagement with them.
The Law provides that any individual shall have the right to object to the processing of their personal data for legitimate reasons,
including to the collection and processing of personal data for marketing/promotion purposes (exceptions apply).
ONLINE PRIVACY
The Law does not identify classes or types of personal data, while making no specific mention to cookies/cookie identifiers or
location data. Qualification of online identifiers as personal data shall be assessed by local courts.
KEY CONTACTS
Alem & Associates
www.alemlaw.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Leila Laila
Partner, Head of IP, Franchising and Media
Alem & Associates
leila.laila@alemlaw.com
https://www.dlapiperdataprotection.com
https://www.alemlaw.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lesotho 621 | | | www.dlapiperdataprotection.com
LESOTHO
Last modified 20 December 2021
LAW
The right to privacy is recognized and protected under the Constitution of the Kingdom of Lesotho.
Lesotho has established a Data Protection Act, 2013 (the DP Act). The DP Act provides principles for the regulation of the
processing of any personal information in order to protect and reconcile the fundamental and competing values of personal
information privacy.
DEFINITIONS
Definition of personal data
The DP Act defines personal data or information as being information about an identifiable individual that is recorded in any form,
including:
Information relating to the race, national or ethnic origin, religion, age or marital status of the individual
Information relating to the education or the medical, criminal or employment history of the individual or information
relating to financial transactions in which the individual has been involved
Any identifying number, symbol or other particular assigned to the individual
The address, fingerprints or blood type of the individual
The name of the individual where it appears with other personal information relating to the individual or where the
disclosure of the name itself would reveal information about the individual
Correspondence sent to a data controller by the individual that is explicitly or implicitly of a private or confidential nature,
and replies to such correspondence that would reveal the contents of the original correspondence
The views or opinions of any other person about the individual
Definition of sensitive personal data
The DP Act defines sensitive personal information as any of the following:
Genetic data, data related to children, data related to offenses, criminal sentences or security measure, biometric data as
well as, if they are processed for what they reveal, personal information revealing racial or ethnic origin, political opinions,
religious or philosophical beliefs, affiliation, trade-union membership, gender and data concerning health or sex life
Any personal information otherwise considered by Lesotho law as presenting a major risk to the rights and interests of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lesotho 622 | | | www.dlapiperdataprotection.com
the data subject, in particular unlawful or arbitrary discrimination.
Section 29 prohibits a data controller from processing sensitive personal information, unless specifically permitted under the DP
Act.
Section 36 contains general exemptions to the prohibition on processing sensitive personal information. These include instances
where:
Processing is carried out with prior parental consent where the data subject is a child and is subject to parental control in
terms of the law
The processing is necessary for the establishment, exercise or defense of a right or obligation in law
Processing is necessary to comply with an obligation of international public law
The Commission has granted authority in terms of section 37 for processing in the public interest, and appropriate
guarantees have been put in place in law to protect the data subject’s privacy
Processing is carried out with the consent of the data subject
The information has deliberately been made public by the data subject
NATIONAL DATA PROTECTION AUTHORITY
The Data Protection Commission (Commission).
Part 2 of the DP Act provides for the establishment of a Data Protection Commission, an independent and administrative
authority established to have oversight and control over the DP Act and the respective rights of information privacy.
The powers and duties of the Commission are set out in section 8 of the DP Act.
REGISTRATION
The DP Act (section 25(5)) requires that a data controller process personal information only upon notification to the
Commission.
DATA PROTECTION OFFICERS
The DP Act (section 58) authorizes the head of a data controller to designate, by order, one or more officers or employees to be
Data Protection Officers of that controller. In terms of that order, the Data Protection Officers may exercise, discharge or
perform any of the power, duties or functions of the head of the data controller under this Act.
COLLECTION & PROCESSING
The DP Act defines processing as an operation or activity or any set of operations, whether or not by automatic means relating to
any of the following:
The collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration,
consultation or use
Dissemination by means of transmission, distribution or making available in any other form
Merging, linking, as well as blocking, degradation, erasure, or destruction, of information
Under the DP Act (section 15(2)), personal information may only be processed where one of the following applies:
The data subject provides explicit consent to the processing
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lesotho 623 | | | www.dlapiperdataprotection.com
Processing is necessary for the conclusion or performance of a contract to which the data subject is a party
Processing is necessary for compliance with a legal obligation to which the data controller is subject
Processing is necessary to protect the legitimate interests of the data subject
Processing is necessary for the proper performance of public law duty by a public body
Processing is necessary for pursuing the legitimate interests of the data controller or of a third party to whom the
information is supplied
Regarding the collection of data, the DP Act requires that a person shall collect personal information directly from the data
subject, except where:
The information is contained in a public record or has deliberately been made public by the data subject
The data subject has consented to the collection of the information from another source
Collection of the information from another source would not prejudice a legitimate interest of the data subject
Collection of the information from another source is necessary:
To avoid prejudice to the maintenance or enforcement of the law and order
For the conduct of proceedings in any court or tribunal that have commenced or are reasonably contemplated
In the legitimate interests of national security
To maintain the legitimate interests of the data controller or of a third party to whom the information is supplied
Compliance would prejudice a lawful purpose of the collection
Compliance is not reasonably practicable in the circumstances of the particular case
TRANSFER
The DP Act distinguishes between the transfer of personal information to a recipient in a Member State of the South African
Development Community (SADC) that has transposed the SADC data protection requirements and the transfer of personal
information to a Member state that has not transposed the SADC data protection requirements or to a non-Member State.
Personal information shall only be transferred to recipients in a Member State that has transposed the SADC data protection
requirements:
Where the recipient establishes that the data is necessary for the performance of a task carried out in the public interest
or pursuant to the lawful functions of a data controller, or
Where the recipient establishes the necessity of having the data transferred and there is no reason to assume that the
data subject’s legitimate interests might be prejudiced by the transfer or the processing in the Member State
Further to the above, the DP Act requires that the controller make a provisional evaluation of the necessity for the transfer of the
data. The recipient shall ensure that the necessity for the transfer of the data can be subsequently verified. The data controller
shall ensure that the recipient shall process the personal information only for the purposes for which they were transferred.
Personal information may only be transferred to recipients, not SADC Member States subject to national law adopted pursuant to
the SADC data protection requirements, if an adequate level of protection is ensured in the country of the recipient and the data
is transferred solely to permit processing otherwise authorized to be undertaken by the controller.
The adequacy of the level of protection afforded by the relevant third country in question shall be assessed in the light of all the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lesotho 624 | | | www.dlapiperdataprotection.com
circumstances surrounding the relevant data transfer(s), particular consideration shall be given to the nature of the data, the
purpose and duration of the proposed processing, the recipient’s country, the relevant laws in force in the third country and the
professional rules and security measures which are complied with in that recipient’s country.
SECURITY
The DP Act regulates security measures on integrity of personal information processed by a data controller and security measures
regarding information processed by an agent.
The DP Act (section 20) gives the data controller the duty to secure the integrity of personal information in its possession by
taking appropriate measures to prevent the loss, damage to or unauthorised destruction of personal information and prevent the
unlawful access to or processing of personal information. In order to give effect to this, the data controller should take the
following reasonable measures:
Identify all reasonably foreseeable internal and external risks to personal information in its possession or under its control;
Establish and maintain appropriate safeguards against the identified risks;
Regularly verify that the safeguards are effectively implemented; and
Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented
safeguards.
The DP Act (section 21) states that any personal information processed by an agent should only be done with the knowledge and
authorization of the data controller. Secondly the personal information should be treated as confidential unless the law or the
performance of their duties requires disclosure. The following security measures are in place for information processed by an
agent:
A data controller should ensure that the agent processing the personal information establishes and maintains the security
measures referred to in the DP Act.
A written contract between the data controller and agent governs the processing of personal information by the agent.
If the agent is not domiciled or does not have its principal place of business in Lesotho, the data controller should take
reasonable steps to ensure that the agent complies with the laws relating to the protection of personal information of the
territory in which the agent is domiciled.
BREACH NOTIFICATION
Where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by
an authorized person, the data controller, or any other third party processing personal information under the authority of a data
controller, shall notify:
The Commission, and
The data subject, unless the identity of such data subject cannot be established
The notification shall be made as soon as reasonably possible after the discovery of the compromise, taking into account the
legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to
restore the integrity of the data controller’s information system.
The data controller, in terms of section 23(3), shall delay notification to the data subject where the Lesotho Mounted Police
Service, the National Security Service or the Commission determines that notification will impede a criminal investigation.
The breach notification to a data subject shall be in writing and communicated to the data subject in one of the following ways:
Mailed to the data subject’s last known physical or postal address
Sent by email to the data subject’s last known email address
Placed in a prominent position on the website of the party responsible for notification
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lesotho 625 | | | www.dlapiperdataprotection.com
Published in the news media
As may be directed by the commission
The notification is required to provide sufficient information to allow the data subject to take protective measures against
potential consequences of the compromise, including, if known to the data controller, the identity of the unauthorized person who
may have accessed or acquired the personal information.
Mandatory breach notification
See above.
ENFORCEMENT
The Commission is responsible for the enforcement of the DP Act.
The DP Act (section 49) also permits a data subject to institute a civil action for damages in a court having jurisdiction against a
data controller for breach of any provision of this Act.
ELECTRONIC MARKETING
Under section 50 of the DP Act, direct marketing is defined in as a communication by whatever means of any advertising or
marketing material which is directed to particular data subjects.
A data subject is entitled any time to require the data controller to cease, or not to begin, processing of personal data in respect
of which he is the data subject for the purposes of direct marketing.
ONLINE PRIVACY
There are no sections of the DP Act which regulate privacy in relation to cookies and location data. These issues may be dealt
with in future regulations, which the DP Act permits the Minister to make on the recommendations of the Commission.
KEY CONTACTS
Lungelo Magubane
Associate
T +27 11 302 0819
lungelo.magubane@dlapiper.com
Savanna Stephens
Associate
T +27 11 302 0830
savanna.stephens@dlapiper.com
Monique Jefferson
Director
T +27 11 302 0853
monique.jefferson@dlapiper.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lesotho 626 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Liberia 627 | | | www.dlapiperdataprotection.com
LIBERIA
Last modified 21 February 2022
LAW
Data Privacy Protection Laws.
DEFINITIONS
Definition of Personal Data
Personal Data is not defined by existing laws. Data is however, defined variously by different statutes and legal instrument in
Liberia as follows:
Financial Intelligence Unit Act of 2012: “ ” means:Data representations, in any form, of information or concepts”.
Central Bank of Liberia (“CBL”) E-Payment Regulation: “ ” meansData integrity “the assurance that information
that is in-transit or in storage is not altered without authorization”
The ECOWAS Supplemental Act of which, Liberia is a signing member defines as personal data “any information relating
to an identified individual or who may be directly identifiable by reference to an identification number or one or several elements
Accordingly, it can berelated to their physical, physiological, genetic, psychological, cultural, social, or economic identity”.
concluded that that (i) cards numbers and (ii) account numbers from which a person can be directly identified qualify as
sensitive personal information/data.
Definition of Sensitive Personal Data
There is no Liberian law that defines sensitive persona data.
NATIONAL DATA PROTECTION AUTHORITY
No specific national data protection agency or authority exists in Liberia, and besides a broad statement in the Liberian
Constitution that “no person shall be subjected to interference with his privacy of person, family, home or correspondence except by order
, there is no dedicated privacy law whether of person or in respect of data, not to mention anyof a court of competent jurisdiction”
dedicated data protection authority.
Admittedly, Liberia is a signatory to The ECOWAS Supplemental Act of which, requires member States, including Liberia, to
establish National Data Authority within their jurisdiction. However, Liberia has not yet established such authority.
REGISTRATION
In terms of “Spatial Data”, Liberia Institute of Statistics and Geo-Information Services (LISGIS) is the public agency responsible for
the collection of statistical and geographic information that are used to produce maps.”
However, entity(ies) whose business requires the collection of data are required to register and receive the requisite
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Liberia 628 | | | www.dlapiperdataprotection.com
permit/license from the government entity controlling/overseeing the sector in which the entity(ies) would be conducting business.
Every permit/license issued by the requisite government authority is renewable.
DATA PROTECTION OFFICERS
There is no known or publicly designated Protection Officer, or Officers in Liberia. In the same vein, there is no law requiring the
appointment or creation of such posts whether in public or private entities dealing with data.
COLLECTION & PROCESSING
As used in the National Information and Communications Technology Policy of 2019, the term “ ” refers to anydata collector
entity, institution or person – governmental or private – that gathers information of an individual/a consumer for the use and
identification of the individual/consumer in its business/line of work.
In respect of the processing of data, the Central Bank of Liberia “E-Payment Regulation” states in 19.1 that “All
e-payment service providers shall maintain privacy and confidentiality of customer information and data, unless sharing customer information
and data is authorized by the customer or on a court order or in keeping with the AML/CFT Regulations for Financial Institutions in Liberia.”
Section 19.2 provides that the conditions under which customer information and data will be kept shall be disclosed before the
customer enters into agreement with the Authorized Institution while Section 19.3 states that “Provisions of data protection including
confidentiality shall be in tandem with all relevant laws”.
TRANSFER
The CBL Act restricts the unauthorized transfer of customer’s information. Section 3.3 of the Central Bank of Liberia (“CBL”)
Regulation Concerning Consumer Protection and Market Conduct provides that: “a relevant financial institution shall exercise the
maximum protection of consumer’s information and shall not disclose any information about a consumer to a third party except where (i) the
It alsoinstitution is required by law to disclosed such information, or (ii) the disclosure is made with the expressed consent of the consumer”.
provides that “each relevant financial institution shall have in place information security guidelines or policies, a secured database, and
procedures for handling of customers’ information. The guidelines or policies shall cover the information technology (IT) risk management
system with respect to customer’s information protection.”
SECURITY
Section 9.1 of the CBL Regulations Concerning the Licensing and Operations of Electronic Payment Services in Liberia
(“E-Payment Regulation”) provides as follows:
“All e-payment service providers shall ensure that personal information of customers obtained during the course of operations is
used, disclosed, retained and protected as agreed”; and
“They shall ensure the security, Integrity, Confidentiality and Availability of data and services by adopting prevailing international
standard(s) as well as those prescribed by Central Bank of Liberia from time to time.”
BREACH NOTIFICATION
There is generally no breach notification requirement, nor any dedicated agency or entity to which such notification must be
made.
Mandatory breach notification
Whenever a private action is contemplated through the courts, it is mandatory that the accused is apprised of the matter in order
to inform the prospective defendant of the allegation against him or her. This is usually accomplished through the issuance of the
appropriate Writ issued by the court which is served upon the Defendant.
ENFORCEMENT
Enforcement is generally by a private right of action, but there are few administrative sanctions under some statutes and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Liberia 629 | | | www.dlapiperdataprotection.com
regulations, such as regulations governing the financial, insurance and telecommunications sectors, for violation of customer
privacy by divulging confidential information without authorization.
ELECTRONIC MARKETING
Section 13.46(1) of the Liberia Electronics Transaction Law (2002) states that: “a person who has access to any record, book, register,
correspondence, information, document or other material in the course of performing a function under or for the purposes of this Law shall
not disclose or permit or suffer to be disclosed such record, book, register, correspondence, information, document or other material to any
However, Section 13.46(2) of the Act provides that the above-quoted provision of Sub-section 1 does not apply toother person”.
disclosure:
Which is necessary for performing or assisting in the performance of a function under or for the purposes of this Law;
For the purpose of any criminal proceedings in Liberia or elsewhere;
For the purpose of complying with a requirement made under a rule of law with a view to instituting a criminal proceeding
in Liberia or elsewhere; or
Under the direction or order of a court.
ONLINE PRIVACY
There are no specific provisions under Liberian laws relating to on-line privacy. However, data collectors are required to exercise
the maximum protection of consumer’s protection and shall not disclose any information about a consumer to a third party
except where (i) the institution is required by law to disclosed such information, or (ii) the disclosure is made with the expressed
consent of the consumer. Data collectors are required to ensure the integrity and adequacy of their IT and Security system.
KEY CONTACTS
Heritage Partners & Associates Inc.
www.hpaliberia.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Cllr. Mark M.M. Marvey
Partner
Heritage Partners & Associates Inc.
T +231-777529389
mmarvey@hpaliberia.com
Atty. Beyan G. Mulbah
Associate
Heritage Partners & Associates Inc.
T +231-776428313
bmulbah@hpaliberia.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Libya 630 | | | www.dlapiperdataprotection.com
LIBYA
Last modified 16 February 2022
LAW
Currently, there is no data protection law in Libya. However, Articles 12 and 13 of the Constitution 2011 guarantee the right to a
private life for citizens and the confidentiality of correspondence, telephonic conversations and other forms of communications
except where required by a judicial warrant respectively. In other words, there is no detailed information concerning privacy
systems in Libya that protect individuals when their data is processed. With regard to privacy protection, there are some
provisions in the Libyan Penal Code (1953) that provide general protection for private correspondence and homes from any
interference by others. These articles provide that the public servants who commit an offence against private correspondence will
face imprisonment of no less than six months. Also, there are some articles in the Act No 4 (1990) on the National System for
Information and Documentation, which governs the government’s collection of personal data for conducting research for social
and economic reasons. This Act provides some provisions which require government entities to take some steps to protect the
collected data, such as prohibiting the government from forcing individuals to give their data in order to conduct its research.
However, these articles do not provide protection to personal data when individuals process their data. Also, the Central Bank of
Libya regulated general criteria for protecting personal data which is . However, this is applicable to only Libyanavailable online
banks.
DEFINITIONS
Definition of Personal Data
There is no definition of personal data as per Libyan Law.
Definition of Sensitive Personal Data
There is no definition of sensitive personal data as per Libyan Law.
NATIONAL DATA PROTECTION AUTHORITY
There is no data protection authority.
REGISTRATION
There are no registration requirements relating to personal data.
DATA PROTECTION OFFICERS
There is no data protection officer requirement as per Libyan Law.
COLLECTION & PROCESSING
https://www.dlapiperdataprotection.com
https://cbl.gov.ly/–/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Libya 631 | | | www.dlapiperdataprotection.com
There are some articles in the Act No 4 (1990) on the National System for Information and Documentation, which governs the
government’s collection of personal data for conducting research for social and economic reasons. This Act provides some
provisions which require government entities to take some steps to protect the collected data, such as prohibiting the
government from forcing individuals to give their data in order to conduct its research. However, these articles do not provide
protection to personal data when individuals process their data. Also, the Central Bank of Libya regulated general criteria for
protecting personal data which is . However, this is applicable to only Libyan banks.available online
TRANSFER
Not applicable.
SECURITY
Not applicable.
BREACH NOTIFICATION
There is no breach notification requirement in Libya.
ENFORCEMENT
Any enforcement will be done by the Libyan courts based on the agreement between the parties involved.
ELECTRONIC MARKETING
There is no specific law governing electronic marketing.
ONLINE PRIVACY
There is no specific online privacy legislation.
KEY CONTACTS
Abdou Law Firm
www.abdoulawfirm.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dr Majdi Abdou
Managing Partner
Abdou Law Firm
T +218213610799
majdi.abdou@abdoulawfirm.com
Mohanad Hussein
Senior Associate
Abdou Law Firm
T +218213600028
mohanad.hussein@abdoulawfirm.com
https://www.dlapiperdataprotection.com
https://cbl.gov.ly/–/%20
https://www.abdoulawfirm.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Libya 632 | | | www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 633 | | | www.dlapiperdataprotection.com
LITHUANIA
Last modified 22 January 2021
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However,
there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own
domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the
Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The implementation of the GDPR has been achieved in the Republic of Lithuania. The Law on Legal Protection of Personal
Data (hereinafter ‘Data Protection Law’) has been in force since July 16, 2018.
The Data Protection Law replaced the Law on Legal Protection of Personal Data.
DEFINITIONS
Personal data is defined as ” ” (Article 4). A low bar is set forany information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 634 | | | www.dlapiperdataprotection.com
(Article 10).convictions and offences
The GDPR is concerned with the of personal data. Processing has an extremely wide meaning, and includes any set ofprocessing
operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a or a . The controller is the decision maker, the person who “controller processor
” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The Data Protection Law refers to the definitions provided by the GDPR. Only two definitions: ‘direct marketing’ and
‘institutions and authorities’ are defined differently in the Data Protection Law.
Under the Data Protection Law, ‘direct marketing’ means any activity consisting of offering goods or services or asking
opinion on the goods or services offered, by post, telephone or other direct means.
‘Institutions and authorities’ means state and municipal institutions and authorities, enterprises and public institutions,
financed from state or municipal budgets and state monetary funds and authorized by the Law on Public Administration of
the Republic of Lithuania to perform public administration activities or to provide public or administrative services to
persons or to perform other public functions.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of . Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called lead supervisory authority (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other concerned authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
There are two supervisory authorities in Lithuania: the State Data Protection Inspectorate and the Inspector of Journalist
Ethics. The State Data Protection Inspectorate is responsible for monitoring the application of the GDPR and the Data
Protection Law as well as ensuring these acts are applied, except where it is within the competence of the Journalist Ethics
Officer. The Journalist Ethics Officer performs the same functions where the personal data is processed for journalistic
purposes and for academic, artistic or literary expression, except for tasks and powers listed in Article 57(1) (j) to (l) and
(n) to (t), Article 58(1) (b) to (c), Article 58(2) (e), (g), (h) and (j), and Article 58(3) (a), (c) and (e) to (j) of the GDPR.
In addition to the tasks established in the GDPR, the Data Protection Law authorizes the State Data Protection
Inspectorate to perform the following tasks:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 635 | | | www.dlapiperdataprotection.com
To provide advice to data subjects, data controllers and processors on the protection of personal data and
privacy protection, and also to develop methodological recommendations for the protection of personal data and
to publish them publicly on their website
To cooperate with personal data protection supervisory authorities of other countries, European Union
institutions and international organizations and to take part in their activities
To participate in the formation of state policy in the field of personal data protection and to implement it
To implement the provisions of the Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data (ETS No. 108) and its Protocols
To perform other functions specified in the Data Protection Law and other legal acts
In addition to the powers established in the GDPR, the Data Protection Law authorizes the State Data Protection
Inspectorate to:
Receive all necessary information, copies of documents and duplicates, and copies of the data from the data
controllers and data processors, state and municipal institutions and bodies, other legal and natural persons; as
well as access to all data and documents which are necessary for the execution of tasks and functions of the State
Data Protection Inspectorate
During the investigation of the infringements to enter the premises of the person or entity which is subject to the
inspection and to exercise similar actions with respect to related persons or entities
Participate in meetings of the Parliament, the Government, and other state institutions when issues related to the
protection of personal data or privacy are being considered
Invite experts and consultants, to form working groups on examination of processing or protection of personal
data, preparation of personal data protection documents and to deal with other issues which fall under the
competence of the State Data Protection Inspectorate
Provide recommendations and instructions to data controllers, data processors and other legal or natural persons
regarding the processing of personal data or the protection of privacy
Exchange information with other countries’ personal data protection supervisory authorities and international
organizations to the extent necessary for their functions
Participate in court hearings when infringements of international, European Union or national law provisions on
personal data protection issues are being considered
Use technical measures during the investigation of infringements
Receive oral and written explanations from legal entities and natural persons during the infringement proceedings
and to demand that they arrive to provide explanations to the premises of the State Data Protection Inspectorate
Use the information held by the State Data Protection Inspectorate, including personal data obtained during the
investigation of infringements or received by the State Data Protection Inspectorate for other functions
Involve police officers in order to ensure the possible use of violence and in order to maintain public order
Perform other functions specified in the law
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 636 | | | www.dlapiperdataprotection.com
Given that the GDPR does not provide for the registration of data processing activities, registries and related systems no
longer exist.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
The Data Protection Law does not determine any derogations from the requirements which are set in the GDPR
regarding data protection officers.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (purpose limitation principle)
Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
Accurate and where necessary kept up-to-date (accuracy principle)
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 637 | | | www.dlapiperdataprotection.com
Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (storage limitation principle)
Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (integrity and confidentiality principle)
The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle).
Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and
appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
With the consent of the data subject (where consent must be ” ” and must befreely given, specific, informed and unambiguous,
capable of being withdrawn at any time)
Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract
Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies)
Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller
Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
With the explicit consent of the data subject
Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement
Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent
In limited circumstances by certain not-for-profit bodies
Where processing relates to the personal data which are manifestly made public by the data subject
Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in
their legal capacity
Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards
Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices
Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1)
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 638 | | | www.dlapiperdataprotection.com
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to re-purpose personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
Any link between the original purpose and the new purpose
The context in which the data have been collected
The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions
are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
The possible consequences of the new processing for the data subjects
The existence of appropriate safeguards, which may include encryption or pseudonymization
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
The identity and contact details of the controller
The data protection officer’s contact details (if there is one)
Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing
The recipients or categories of recipients of the personal data
Details of international transfers
The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability
Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
The consequences of failing to provide data necessary to enter into a contract
The existence of any automated decision making and profiling and the consequences for the data subject
In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 639 | | | www.dlapiperdataprotection.com
a.
b.
c.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate compelling legitimate grounds for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
Necessary for entering into or performing a contract
Authorized by EU or Member State law
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 640 | | | www.dlapiperdataprotection.com
c. The data subject has given their explicit ( opt-in) consentie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The Data Protection Law contains provisions on specific conditions related to the processing of national identification
number.
Article 3 of the Data Protection Law determines particularities of the processing of the personal code:
Personal code can be processed if there is at least one of the conditions for the lawfulness of the processing of
personal data referred to in Article 6(1) of Regulation (EU) 2016/679
It is forbidden to disseminate the personal code
It is forbidden to process personal code for direct marketing purposes
The Data Protection Law provides specific rules and exceptions regarding processing of personal data for journalistic,
academic, artistic and literary purposes. When processing data for these purposes, Articles 8, 12-23, 25, 30, 33-39, 41-50
and 88-91 of the GDPR shall not be applicable.
The Data Protection Law also provides specific rules regarding processing of personal data in the employment context:
It is forbidden to process the personal data of candidates and employees related to convictions and offences
committed by the candidate or employee, unless such personal data are necessary to verify that a person meets
the requirements of law or implementing legislation for the purpose of performing work or other duties.
The data controller may collect personal data relating to qualifications, professional skills and business
characteristics of a candidate applying for job from a former employer by duly informing the candidate, and from
the existing employer by receiving consent of the candidate.
The processing of video or audio data in the workplace and at the data controller’s premises or in the areas
where employees work, in the processing of personal data relating to the monitoring of employees’ behavior,
employees must be informed of such processing of their personal data in writing or by any other means which
allow to prove the fact that the information referred to in Article 13(1) and (2) of Regulation (EU) 2016/679 has
been provided.
The consent of a child for the use of information society services is deemed lawful where the child is at least 14 years old.
Where the child is below the age of 14 years, such consent will be lawful only if and to the extent that consent is given or
authorized by the holder of parental responsibility for the child.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes among others binding corporate rules, standard contractual clauses, and the EU-US Privacy Shield
Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in
some cases seek prior approval of standard contractual clauses from supervisory authorities.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 641 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
a.
b.
c.
d.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
Explicit informed consent has been obtained;
The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
The transfer is necessary for important reasons of public interest;
The transfer is necessary for the establishment, exercise or defense of legal claims;
The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
The transfer is made from a register which according to EU or Member State law is intended to provide information to
the public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
The Data Protection Law provides that the State Data Protection Inspectorate must issue an authorization for the
transfer of personal data to a third country or an international organization in order for the transfer to be lawful. A
substantiated written refusal to issue it within a maximum of 20 working days may also be communicated by the State
Data Protection Inspectorate.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However, the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing
The Data Protection Law does not provide any derogations or additional requirements to the GDPR regarding security.
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 642 | | | www.dlapiperdataprotection.com
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The Data Protection Law does not provide any derogations or additional requirements to the GDPR regarding breach
notification duties.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
The basic principles for processing including conditions for consent;
Data subjects’ rights;
International transfer restrictions;
Any obligations imposed by Member State law for special cases such as processing employee data; and
Certain orders of a supervisory authority.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 643 | | | www.dlapiperdataprotection.com
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
Obligations of controllers and processors, including security and data breach notification obligations;
Obligations of certification bodies; and
Obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
Any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
The Data Protection Law sets out administrative fines which can be imposed on public institutions. The State Data
Protection Inspectorate has the right to impose an administrative fine:
Up to 0.5% of the annual budget of the institution in the current year or of the total annual revenue received in
the previous year but not exceeding EUR 30000 for breach of the provisions referred to in the paragraphs a-c of
Article 83(4) of the GDPR
Up to 1% of the annual budget of the institution in the current year or of the total annual revenue received in the
previous year, but not exceeding EUR 60000, for breach of the provisions referred to in the paragraphs a-e of
Article 83(5) and Article 83(6) of the GDPR
When a public authority or body carries on commercial business, according to sections 4-6 of Article 83 of the
GDPR
The statute of limitation is two years from when the offence has been committed, and in case of continued offences,
within two years after the offence has been identified.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 644 | | | www.dlapiperdataprotection.com
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
Electronic marketing to individuals in Lithuania must only be conducted in accordance with the Data Protection Law, the
Electronic Communications Law and the Law on Advertising of the Republic of Lithuania (Advertising Law).
General requirements for direct marketing:
The recipient (either natural person or legal person) has given his prior consent (under Lithuanian law, an opt-in principle
applies, ie, the customer should actively express his willingness to receive commercial communication)
The recipient’s consent must be obtained separately from other terms of the contract between the parties
Consent cannot be obtained in the standard terms presented to the recipient (eg, “by accepting these terms you agree to
receive our commercial communication to the email provided to us”). The consent must stand separately from other
contractual terms, so that the data subject has an actual possibility to choose whether he or she wants to receive
commercial communication from the company or not
The company must ensure that recipients have been given a clear, free-of-charge and easily realizable possibility not to
give their consent or refuse giving their consent for the use of this data for the above-mentioned purposes at the time of
collection of the data and, if initially the recipient has not objected against such use of the data, at the time of each offer
No direct marketing should be carried out where the contact has requested not to receive unsolicited direct marketing.
Exemption: if the company has obtained electronic contact details in the process of selling a product or a service, it is allowed to
use these details for direct marketing provided that the recipient (either natural person or legal person) is given an opportunity to
refuse such marketing; this opportunity shall continue to be offered with each message.
Additional requirements under the Advertising Law:
Direct marketing must be clearly recognizable as a commercial communication
The person on behalf of whom this commercial communication is distributed must be clearly identified
The content of the offer and conditions regarding receiving of the service must be formulated clearly and precisely
Each marketing communication is a separate violation, for which a penalty of up to EUR 3,000 may be imposed.
As mentioned above, the Data Protection Law provides a definition of direct marketing and prohibits the processing of
personal code for direct marketing purposes.
ONLINE PRIVACY
Traffic Data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 645 | | | www.dlapiperdataprotection.com
Traffic Data held by a public electronic communications services provider must be erased or anonymized when it is no longer
necessary for the purpose of the transmission of a communication. However, Traffic Data can be retained if:
It is being used to provide a value added service
consent has been given for the retention of the Traffic Data
It is required for investigation of a grave crime
Traffic Data can only be processed by a CSP for:
The management of business needs, such as billing or traffic
Dealing with customer enquiries
The prevention of fraud
The provision of a value added service
Cookies
The use of cookies is permitted only if approved by the user (under Lithuanian law, an opt-in principle applies). However, consent
is not required for cookies used for website technical structure and for cookies used for showing website content. Consent is not
required for session ID cookies and for so called ‘shopping basket’ cookies (these exceptions do not apply if such cookies are used
for collecting statistical information on use of the website).
Clear and exhaustive information on use of cookies, including information about the purpose of cookie related data processing,
must be provided. This information should be provided in the privacy policy of the website. Consent to the terms of the website’s
privacy policy or terms of use containing the information on use of cookies is considered insufficient. Consent though web
browser settings may be considered adequate only if the browser settings allow choosing what cookies may be used and for what
purposes. However, considering the nature of currently used web browsers consent through web browser settings is not
considered appropriate under Lithuanian law.
Location data
Processing of location data triggers personal data processing laws. The data controller must have a legitimate basis for such
personal data processing ( the data subject has given his consent; a contract to which the data subject is party is beingeg,
concluded or performed; it is a legal obligation of the data controller under laws to process personal data; processing is necessary
in order to protect vital interests of the data subject; etc.).
The Data Protection Law does not provide any derogations or additional requirements to the GDPR regarding online
privacy.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Lithuania 646 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Sorainen
www.sorainen.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Stasys Drazdauskas
Counsel
Sorainen
T +370 52 685 040
stasys.drazdauskas@sorainen.com
Irma Kirklytė
Senior Associate
Sorainen
T +370 52 685 040
irma.kirklyte@sorainen.com
https://www.dlapiperdataprotection.com
http://www.sorainen.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 647 | | | www.dlapiperdataprotection.com
LUXEMBOURG
Last modified 21 February 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However,
there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own
domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the
Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
Two Luxembourg Data Protection Laws of August 1, 2018 have been enacted to implement the GDPR:
The Law on the organization of the National Data Protection Commission (CNPD) and the general data
protection framework. It has repealed the previous Law on Data Protection (amended Law of August 2, 2002)
and completes the GDPR at the national level. Most of all it gives the framework for the CNPD’s organization,
composition and powers under the GDPR and the applicable national law
The Law on the protection of individuals with regard to the processing of personal data in criminal matters as well
as in matters of national security
Article L. 261-1(1) of the Labor Code provides specific regulations concerning employer workplace surveillance.
In addition, the amended Law of May 30, 2005 on data protection and electronic communications governs the protection
of personal data in the field of telecommunications and electronic communications, implementing the Directive
2002/58/EC.
Along with several CNPD’s recommendations, the Law of July 17, 2020 introducing a series of measures to combat the
Covid-19 pandemic as amended provides a legal framework on the processing of personal data in the context of the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 648 | | | www.dlapiperdataprotection.com
COVID-19 crisis.
DEFINITIONS
Personal data is defined as ” ” (Article 4). A low bar is set forany information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the of personal data. Processing has an extremely wide meaning, and includes any set ofprocessing
operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a or a . The controller is the decision maker, the person who “controller processor
” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The definition of personal data has not been amended by applicable law. GDPR definitions apply.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of . Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called lead supervisory authority (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other concerned authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
Commission Nationale pour la Protection des Données (CNPD)
15, Boulevard du Jazz, L-4370 Belvaux
T +352 26 10 60 1
F +352 26 10 60 29.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 649 | | | www.dlapiperdataprotection.com
The CNPD is in charge of monitoring and checking that the data are processed in accordance with the GDPR, as well as
the Law of August 1, 2018 on the organization of the National Data Protection Commission, the Law of August 1, 2018
on the protection of individuals with regard to the processing of personal data in criminal matters and in matters of
national security, and any applicable legislation that may include specific personal data protection provisions.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
No specific provisions in the applicable law.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have expert knowledge (Article 37(5)) of data protection law and practices, though it is possible to outsource the
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 650 | | | www.dlapiperdataprotection.com
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
Article 65(1) of the Law of August 1, 2018 on the organization of the National Data Protection Commission provides for
a specific obligation to appoint a DPO in the context of processing of personal data for scientific or historical research
purposes or statistical purposes. Such appointment must be made in accordance with the nature, scope, context and
purposes of the processing, as well as the risks for the rights and freedoms of the relevant data subjects. In this regard, if
the data controller elects not to appoint a DPO, it must then formally document and justify why it chose not to appoint a
DPO, for each project involving a processing of personal data for scientific or historical research purposes or statistical
purposes.
Article 64 of the Law of August 1, 2018 on the organization of the National Data Protection Commission provides that
the same applies to processing of special categories of personal data for the purposes defined in Article 9(2)(j) GDPR (ie,
processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (purpose limitation principle)
Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
Accurate and where necessary kept up-to-date (accuracy principle)
Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (storage limitation principle)
Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (integrity and confidentiality principle)
The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle).
Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and
appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
With the consent of the data subject (where consent must be ” ” and must befreely given, specific, informed and unambiguous,
capable of being withdrawn at any time)
Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract
Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies)
Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller
Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 651 | | | www.dlapiperdataprotection.com
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
With the explicit consent of the data subject
Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement
Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent
In limited circumstances by certain not-for-profit bodies
Where processing relates to the personal data which are manifestly made public by the data subject
Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in
their legal capacity
Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards
Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices
Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1)
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to re-purpose personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
Any link between the original purpose and the new purpose
The context in which the data have been collected
The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions
are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
The possible consequences of the new processing for the data subjects
The existence of appropriate safeguards, which may include encryption or pseudonymization
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 652 | | | www.dlapiperdataprotection.com
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
The identity and contact details of the controller
The data protection officer’s contact details (if there is one)
Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing
The recipients or categories of recipients of the personal data
Details of international transfers
The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability
Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
The consequences of failing to provide data necessary to enter into a contract
The existence of any automated decision making and profiling and the consequences for the data subject
In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 653 | | | www.dlapiperdataprotection.com
a.
b.
c.
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
Necessary for entering into or performing a contract
Authorized by EU or Member State law
The data subject has given their explicit ( opt-in) consentie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The Law of August 1, 2018 on the organization of the National Data Protection Commission provides specific regulations
concerning the processing of personal data for the purposes of the surveillance of employees at the workplace by the
employer (thus modifying Article L. 261-1(1) of the Labor Code). In this respect, the employer must comply with a certain
set of obligations, in addition to its general obligations as a data controller under the GDPR.
Notably, the employer must inform certain employee representation bodies of the contemplated processing of personal
data. This information must contain a detailed description of the purposes of the contemplated processing, the means of
implementation of the surveillance, and the retention policy for the personal data concerned.
When employees or their representation bodies are informed that their personal data may be processed for surveillance
purposes, they may ask the CNPD for a preliminary opinion on the compliance of such surveillance project with applicable
data protection legislation. The employer may not begin surveillance until the CNPD hands out its decision.
When surveillance has already been put it place by the employer, employees have a right to file a complaint with the
CNPD if they believe that processing does not comply with applicable data protection legislation. Filing such complaint
may not be held as a grounds for dismissal.
Finally, the Law of August, 1 2018 on the organization of the National Data Protection Commission provides three specific
provisions complementing the GDPR in matters left to Member State discretion.
1. Processing of personal data for the sole purpose of journalism, university research, art or literature
This processing is not subject to:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 654 | | | www.dlapiperdataprotection.com
Prohibitions on processing special categories of personal data set out under Article 9(1) GDPR
Limitations applicable to processing of personal data relating to criminal convictions and offences (Article 10,
GDPR):
Provided such processing concerns data made publicly available (in an obvious fashion) by the data subject
If the data are directly connected to the public life of the data subject
If the data are directly connected to an event in which the data subject has willingly become involved
Obligations imposed on the data controller in case of a transfer of personal data to third countries or
international organizations (Chapter V, GDPR)
The obligation of the data controller to provide information to the data subject where personal data are collected
from the data subject (Article 13, GDPR), when providing such information would jeopardize the collection of
personal data from such data subject
The obligation of the data controller to provide information to the data subject where personal data have not
been obtained from the data subject (Article 14, GDPR), when providing such information would jeopardize
either the collection of personal data, a publication project, making such personal data available to the public in
any way whatsoever or would provide indications as to the source of information
The obligation to provide the data subject with the right of access to his or her personal data. Such right is
postponed and limited, in that it cannot enable the data subject to identify the source of information. This right
may be exercised only through the CNPD and in the presence of the President of the Press Council or his or her
representative
2. Processing of personal data for scientific or historical research purposes, for statistical purposes, or for
archiving purposes in the public interest
When personal data is processed for scientific or historical research purposes or for statistical purposes, the rights of the
data subject specified under articles 15, 16, 18 and 21 GDPR may be limited provided that such rights would make
impossible or seriously impede the accomplishment of the specific concerned purposes.
Such limitation on data subject rights may only be applied where the data controller puts in place an extensive set of
additional appropriate safeguard measures for the rights and freedom of the data subject (Article 65 of the Law of August
1, 2018 on the organization of the National Data Protection Commission), such as, in particular:
The appointment of a DPO
Performing an impact assessment of the contemplated processing on the protection of personal data
Anonymizing the data processed
In any event, the additional safeguard measures must be put in place in accordance with the nature, scope, context and
purposes of the processing, as well as the risks for the rights and freedoms of the relevant data subjects. In this regard, if
the data controller elects not to put in place one of the measures listed in Article 65 of the Law of August 1, 2018 on the
organization of the National Data Protection Commission, it must then formally document and justify why it chose not to
do so.
Finally, processing of special categories of personal data for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes (Article 9(2)(j), GDPR) is allowed under the same conditions ( putting in placeie,
additional appropriate safeguard measures as defined under Article 65 of the Law of August 1, 2018 on the organization of
the National Data Protection Commission).
3. Processing of special categories of personal data
Genetic data may not be processed for purposes of exercising the controller’s own rights in the field of employment and
insurance law.
TRANSFER
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 655 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
a.
b.
c.
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes, among others, binding corporate rules and standard contractual clauses. The GDPR has removed
the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of
standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
Explicit informed consent has been obtained
The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person
The transfer is necessary for important reasons of public interest
The transfer is necessary for the establishment, exercise or defense of legal claims
The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
The transfer is made from a register, which according to EU or Member State law, is intended to provide information to
the public, subject to certain conditions
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State (transfers in response to such requests where there is
no other legal basis for transfer will infringe the GDPR).
No specific provisions in the applicable local law.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However, the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 656 | | | www.dlapiperdataprotection.com
c.
d.
incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing
Article 65 of the Law of August 1, 2018 on the organization of the National Data Protection Commission provides specific
technical measures that must be put in place for limited categories of processing ( processing of personal data forie,
scientific or historical research purposes or for statistical purposes, and processing of special categories of personal data
for archiving purposes in the public interest).
Such measures include:
Resorting to an independent trusted third party for the anonymization or pseudonymization of the personal data
Log files allowing for the identification of the purpose, date and time of consultation of the personal data as well
as for the identification of the person having collected, modified or deleted the personal data
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
No specific provisions in the applicable local law.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 657 | | | www.dlapiperdataprotection.com
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
The basic principles for processing including conditions for consent
Data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
Any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
The CNPD may:
Impose administrative fines as provided for in Article 83 of the GDPR (however, it cannot impose such sanctions
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 658 | | | www.dlapiperdataprotection.com
with respect to the State or municipalities)
Impose on the controller or processor a penalty of up to five per cent (5%) of its average daily turnover in the
previous financial year, respectively during the last financial year closed, as long as such controller or processor
does not communicate an information requested by the CNPD pursuant to Article 58(1)(a) GDPR, or as long as
such controller or processor does not abide by a corrective measure adopted by the CNPD pursuant to Article
58(2)(c)-(j) GDPR
Impose sanctions (an imprisonment of 8 days or a fine of between EUR 251 and EUR 125,000) against anyone
who knowingly prevents or hinders the performance of the CNPD’s missions
Order the insertion in full or by extracts of its decisions in newspapers or otherwise, at the expense of the
person sanctioned
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The use of automated calling systems without human intervention (automatic calling machines), facsimile machines (fax) or
electronic mail for the purposes of direct marketing is permissible only in respect of subscribers who have given their prior
consent.
Where a supplier obtains from its customers their electronic contact details for electronic mail, in the context of the sale of
products or services, that supplier may use those electronic contact details for direct marketing of its own similar products or
services provided that customers are clearly and distinctly given the opportunity to object, free of charge and in an easy manner,
to such use of electronic contact details when they are collected and on the occasion of each message where the customer has
not initially refused such use.
The transmission of unsolicited communications for purposes of direct marketing by means other than those referred to in the
previous paragraphs shall be permissible only with the prior consent of the subscriber concerned.
No specific provisions in the applicable local law.
ONLINE PRIVACY
Traffic Data
For the purposes of the investigation, detection and prosecution of criminal offences, and solely with a view to enabling
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 659 | | | www.dlapiperdataprotection.com
information to be made available, in so far as may be necessary, to the judicial authorities, any service provider or operator
processing traffic data must retain such data for a period of six months. This obligation includes data related to the missed phone
calls wherever these data are generated, stored or recorded. Beyond this period, the service provider or operator must erase
such data unless made anonymous.
Traffic data may be processed for the purposes of marketing electronic communications services or providing value added
services, to the extent and for the duration necessary for such supply or marketing of such services, provided that the provider of
an electronic communications service or the operator has informed the subscriber or user concerned in advance of the types of
traffic data processed and of the purpose and duration of the processing, and provided that the subscriber or user has given his or
her consent, notwithstanding his or her right to object to such processing at any time.
Location Data other than Traffic Data
Service providers or operators have also the obligation to retain location data other than traffic data for a period of six months
for the purposes of the investigation, detection and prosecution of criminal offences. This obligation includes data related to
missed phone calls wherever these data are generated, stored or recorded. Beyond this period, the service provider or operator
must erase such data unless made anonymous.
Service providers or operators may process location data other than traffic data relating to subscribers and users only if such data
have been made anonymous or the subscriber or user concerned has given his or her consent, to the extent and for the duration
necessary for the supply of a value added service.
Service providers and, where appropriate, operators shall inform subscribers or users in advance of the types of location data
other than traffic data processed, of the purposes and duration of the processing and whether the data will be transmitted to third
parties for the purpose of providing the value added service. Subscribers or users shall be given the possibility to withdraw their
consent to the processing of location data other than traffic data at any time.
Where subscriber or user consent has been obtained for the processing of location data other than traffic data, the subscriber or
user must continue to have the possibility, using a simple means free of charge, to temporarily refuse the processing of such data
for each connection to the network or for each transmission of a communication.
Cookies
Prior informed consent of a subscriber or user is required. The method of providing information and the right to refuse should be
as user friendly as possible and, where it is technically possible and effective, the users consent may be expressed by appropriate
browser or application settings.
The CNPD published in October 2021.official guidelines on cookies
https://www.dlapiperdataprotection.com
https://cnpd.public.lu/fr/dossiers-thematiques/cookies.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Luxembourg 660 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Olivier Reisch
Partner
T +352 26 29 04 2017
olivier.reisch@dlapiper.com
David Alexandre
Counsel
T +352 26 29 04 2614
david.alexandre@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Macau 661 | | | www.dlapiperdataprotection.com
MACAU
Last modified 22 November 2021
LAW
Macau Personal Data Protection Law no. 8/2005 of August 22nd (Law).
DEFINITIONS
Definition of personal data
The Law defines personal data as any information of any type, in any format, including sound and image, related to a specific or
identifiable natural person (data subject). An ‘identifiable natural person’ is anyone who can be identified, directly or indirectly, in
particular by reference to a specific number or to one or more specific elements related to his or her physical, physiological,
mental, economic, cultural or social identity.
Definition of sensitive personal data
The Law defines sensitive personal data as any personal data revealing political persuasion or philosophical beliefs, political and
joint trade union affiliation, religion, private life, racial or ethnical origin or data related to health or sex life, including genetic data.
NATIONAL DATA PROTECTION AUTHORITY
The (OPDP) is the Macau regulatory authority responsible for supervising and coordinatingOffice for Personal Data Protection
the implementation of the Law.
REGISTRATION
The OPDP must be notified of any processing of personal data by a data controller, within 8 days from the commencement of the
processing activity, unless an exemption applies.
For certain data categories certain sensitive personal data, data regarding illicit activities or criminal and administrative offenses(eg,
or credit and solvency data) and certain specific personal data processing, data controllers must obtain prior authorization from
the OPDP.
The OPDP provides (official) forms that must be submitted regarding personal data processing, either in Portuguese or Chinese
language, along with the following information (if applicable):
Identification and contact details of the data controller and its representatives
The personal data processing purpose
Identification and contact details of any third party carrying out the personal data processing
The commencement date of the personal data processing
The categories of personal data processed (disclosing whether sensitive personal data, data concerning the suspicion of
https://www.dlapiperdataprotection.com
https://www.gpdp.gov.mo/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Macau 662 | | | www.dlapiperdataprotection.com
illicit activities, criminal and / or administrative offenses or data regarding credit and solvency are to be collected)
The legal basis for processing personal data
The means and forms available to the data subject for updating his or her personal data
Any transfer of personal data outside Macau, along with the grounds for, and measures to be adopted with, the transfer
Personal data storage time limits
Interconnection of personal data with third parties
Security measures adopted to protect the personal data
DATA PROTECTION OFFICERS
There is no legal requirement to appoint a data protection officer in Macau.
COLLECTION & PROCESSING
Personal data may be processed only if the data subject has given his or her unequivocal consent or if processing is deemed
necessary:
Execution of an agreement where the data subject is a party, or, at the data subject’s request, negotiation in relation to
such an agreement
Compliance with a legal obligation to which the data controller is subject
Protection of vital interests of the data subject if he or she is physically or legally unable to give his or her consent
Performance of a public interest assignment or exercise of public authority powers vested in the data controller or in a
third party to whom the personal data is disclosed, or
Pursuing a data controller’s legitimate interest (or the legitimate interest of a third party to whom the data is disclosed),
provided that the data subject’s interests or rights, liberties and guarantees do not prevail
The data subject must be provided with all relevant processing information, including the identification of the data controller, the
purpose of processing, and the means and forms available to the data subject for accessing, amending and deleting his or her
personal data. Moreover, if applicable, the data subject should also be informed of the possibility of their data being transferred to
a jurisdiction outside of Macau.
TRANSFER
The transfer of personal data outside Macau can only take place if the recipient country ensures an adequate level of personal data
protection, unless the data subject has provided clear consent or the required legal conditions have been met, and the required
filings have been made with the OPDP.
SECURITY
The data controller must implement adequate technical and organizational measures to protect personal data against accidental or
unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular, where the processing involves
the transmission of data over a network, and against all other unlawful forms of processing. Such measures must ensure a security
level appropriate to the risks represented by the personal data processing and the nature of the personal data, taking into
consideration the state of the art and costs of the measures.
BREACH NOTIFICATION
The Law does not require data controllers to notify either the OPDP or data subjects about any personal data breach.
However, a new Law on Cybersecurity came into effect in 2019, which implemented the requirement to notify the Cybersecurity
Incident Alert and Response Center (CARIC) and respective regulatory authority, in the event of a system breach – this obligation
is, however, limited to operators of critical infrastructures.
ENFORCEMENT
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Macau 663 | | | www.dlapiperdataprotection.com
Violations of the Law are subject to civil liability and administrative and criminal sanctions, including fines and / or imprisonment.
ELECTRONIC MARKETING
Under the Law, data subjects have the right to object, upon their request and free of charge, to the processing of their personal
data for direct marketing purposes, to be informed before their personal data is disclosed or used by third parties for the purpose
of direct marketing and to be expressly offered, also free of charge, the right to object to such disclosure or use.
ONLINE PRIVACY
The Law also applies in the online environment.
For example, a Macau company that collects personal data from Macau residents through its website through cookies) must(eg,
fulfil all obligations under the Law imposed on data processors. In particular, the Macau company must inform data subjects of the
personal data processing purpose and notify the OPDP about the personal data processing.
KEY CONTACTS
MdME Lawyers
www.mdme.com.mo/en/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
José Leitão
Partner
MdME Lawyers
T +853 2833 3332
jleitao@mdme.com.mo
Daniela Guerreiro
Associate
MdME Lawyers
T +853 2833 3332
danielag@mdme.com.mo
https://www.dlapiperdataprotection.com
http://www.mdme.com.mo/en/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Madagascar 664 | | | www.dlapiperdataprotection.com
MADAGASCAR
Last modified 25 January 2017
LAW
Law No. 2014-038 relating to protection of personal data is the main regulatory framework in Madagascar (the ‘Data Protection
Law’).
After discussion at the National Assembly of Madagascar, the Data Protection Law was adopted on 16 December 2014. The Law
was promulgated by the President of Republic of Madagascar on 9 January 2015.
In order to come into effect, the Data Protection Law must be published in the Official Gazette of the Republic of Madagascar.
This is expected to occur during the course of this year.
DEFINITIONS
Definition of personal data
Personal data is any information relating to a natural person, whereby that person is or can be identified, directly or indirectly, by
reference to a name, an identification number or to one or more elements specific to him/her such relating to physical,
physiological, psychical, economic, cultural or social.
Definition of sensitive personal data
Sensitive personal data means data which includes information relating to:
racial origin
biometric and genetic information
political opinion
religious belief or others convictions
trade-union affiliation
health or sexual life.
NATIONAL DATA PROTECTION AUTHORITY
The Data Protection Law provides for the creation of the C (‘CMIL’). However,ommission Malagasy sur l’Informatique et des Libertés
the CMIL has not yet been established.
REGISTRATION
Except for certain data processing that is subject to exemption, authorisation, ministerial order or decree, the processing of
personal data requires a prior declaration to the CMIL.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Madagascar 665 | | | www.dlapiperdataprotection.com
The prior declaration to the CMIL shall specify, where relevant, inter alia:
the identity and the address of the data controller ( ) (ie the natural or legal person who eitherresponsable du traitement
alone or jointly with other persons determines the purpose and the means of the personal data processing and
implements such processing itself or appoints a data processor for that purpose)
the purpose(s) of the processing
the interconnections between databases
the types of personal data processed, their origins and the categories of persons affected by the processing
the duration for which the data will be kept
the department or persons in charge of implementing the data processing
the existence of data transfer to other country
the measures taken in order to ensure the security of the processing
the use of a data processor ( ).sous-traitant
The CMIL has to issue its decision on any authorisation application 2 months following receipt of the application. An additional
time period of 2 months can be added to this period after decision of the President of the CMIL. The absence of decision of the
CMIL during these periods is considered as a refusal of the application.
DATA PROTECTION OFFICERS
The Data Protection Law does not provide any legal requirement to appoint a data protection officer (délégué à la protection des
in Madagascar.données à caractère personnel)
However, an entity is exempt from making prior to the CMIL if the entity has appointed a data protection officerdeclarations
(‘DPO’).
The appointment of a DPO does not exempt an entity from requesting prior , where necessary (for example whereauthorisation
there is a transfer of data to a country that does not provide an adequate level of protection for personal data).
The DPO must be a resident of Madagascar.
COLLECTION & PROCESSING
The following principles must be satisfied when personal data is collected and processed:
all personal data must be processed fairly and lawfully for specific, explicit and legitimate purposes and subsequently
processed in accordance with these purposes
all personal data collected must be adequate, relevant and non-excessive in view of the purposes for which it is collected
all personal data must be accurate and comprehensive and when necessary, kept up to date
all personal data must be retained no longer than is necessary for the purposes for which it is processed.
The processing of personal data must receive the data subject’s prior consent or fulfill one of the following conditions:
compliance with a legal obligation of the data controller
the purpose of the processing is to protect the individual’s life
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Madagascar 666 | | | www.dlapiperdataprotection.com
the purpose of the processing is to carry out a public service
the processing relates to the performance of a contract to which the concerned individual is a party, or pre-contractual
measures requested by that individual
processing relates to the realisation of the legitimate interest of the data controller or the data recipient, subject to the
interest and fundamental rights and liberties of the concerned individual.
The conditions for processing of sensitive personal data include most of the above conditions, but contain an additional list of
more restrictive conditions that must also be satisfied such as requirement to obtain prior consent of the data subject, or in the
absence of consent where the processing is undertaken to carry out a public service and is required by law or priorly authorised
by the CMIL.
TRANSFER
The transfer of a data subject’s personal data to a third party country is allowed only if the country guarantees to individuals a
sufficient level of protection in terms of privacy and fundamental rights and liberties.
The sufficiency of the protection is assessed by considering all the circumstances surrounding the transfer, in particular the nature
of the data, the purpose and the duration of the proposed processing, country of origin and country of final destination, rules of
law, both general and sectorial in force in the country in question and any relevant codes of conduct or other rules and security
measures which are complied with in that country.
Data controllers may transfer personal data to a third country that is not deemed to offer adequate protection only if:
the data subject consents and duly informed of the absence of adequate protection
the transfer is necessary:
for the performance of a contract between the data controller and the individual, or pre-contractual measures
undertaken at the individual’s request
for the conclusion or the performance of a contract in the interest of the individual, between the data controller
and a third party
for the protection of the public interest
for consultation of a public register intended for the public’s information
to comply with obligations allowing the acknowledgment, the exercise or the defence of a legal right.
In all cases, the data recipient in the third party country cannot transfer personal data to another country, except with the
authorisation of the first data controller and the CMIL .
SECURITY
The data controller must take all useful precautions, with respect to the nature of the data and the risk presented by the
processing, to preserve the security of the data and, amongst other things, prevent alteration, corruption or access by
unauthorised third parties.
BREACH NOTIFICATION
The Data Protection Law does not set out any general or specific obligation to notify the CMIL or the data subject in the event of
a data security breach.
ENFORCEMENT
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Madagascar 667 | | | www.dlapiperdataprotection.com
The CMIL has the power to proceed with verifications of any data processing, and, as the case may be, to request a copy of every
document that it considers useful in respect of verifications. The CMIL agents are authorised to carry out online inspections and
on-site verifications of a data controller or a data processor.
In cases where the CMIL is of the opinion that a data controller or a data processor has contravened the provisions of the Data
Protection Law, then it may serve, in accordance with the severity of the violation committed:
warnings and notices to comply with the obligations defined in the Data Protection Law
notice of withdrawal of the authorisation
a financial sanction of up to 5% of the last financial year pre-tax turnover (not deducted from tax turnover).
The Data Protection Law provides that any processing of personal data in contravention with its provisions is considered an
offence. For example, processing of personal data without prior declaration to or authorisation of the CMIL can result in
imprisonment of 6 months to 2 years (Article 62 of the Data Protection Law).
In addition to any penalty, the Court may order the erasure of all or part of the personal data which was the object of the
processing considered an offence.
ELECTRONIC MARKETING
The Data Protection Law does not provide specific restrictions on the use of electronic marketing. However, the data subject has
a right to opt out of allowing their personal data to be used for marketing purposes without providing any reason.
ONLINE PRIVACY
The Data Protection Law does not yet address location data, cookies, local storage objects or other similar data-gathering tools.
KEY CONTACTS
Madagascar Law Offices
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Sahondra Rabenarivo
Managing Partner
Madagascar Law Offices
T +(261) 20 23 25623
sahondra@madalaw.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malaysia 668 | | | www.dlapiperdataprotection.com
MALAYSIA
Last modified 17 November 2021
LAW
Malaysia’s first comprehensive personal data protection legislation, the Personal Data Protection Act 2010 (PDPA), was passed by
the Malaysian Parliament on June 2, 2010 and came into force on November 15, 2013.
As part of an ongoing review of the PDPA, the Personal Data Protection Commissioner of the Ministry of Communications and
Multimedia Malaysia has issued Public Consultation Paper No. 01/2020 – Review of Personal Data Protection Act 2010
(PC01/2020) dated February 14, 2020 to seek the views and comments of the public on 22 issues set out in PC01/2020, some of
which are set out below.
DEFINITIONS
Definition of personal data
‘Personal data’ means any information in respect of commercial transactions that is:
Being processed wholly or partly by means of equipment operating automatically in response to instructions given for that
purpose
Recorded with the intention that it should wholly or partly be processed by means of such equipment, or
Recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, and, in
each case
…that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other
information in the possession of a data user.
Personal data includes any sensitive personal data or expression of opinion about the data subject. Personal data does not include
any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the
Credit Reporting Agencies Act 2010.
Definition of sensitive personal data
‘Sensitive personal data’ means any personal data consisting of information as to the physical or mental health or condition of a
data subject, his or her political opinions, his or her religious beliefs or other beliefs of a similar nature, the commission or alleged
commission by him or her of any offense or any other personal data as the Minister of Communications and Multimedia (Minister)
may determine by published order. Other than the categories of sensitive personal data listed above, the Minister has not
published any other types of personal data to be sensitive personal data as of December 15, 2020.
NATIONAL DATA PROTECTION AUTHORITY
Pursuant to the PDPA, a Personal Data Protection Commissioner (Commissioner) has been appointed to implement the PDPA’s
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malaysia 669 | | | www.dlapiperdataprotection.com
1.
1.
2.
2.
1.
2.
3.
3.
1.
2.
3.
4.
1.
2.
3.
5.
1.
2.
6.
1.
7.
1.
2.
8.
1.
9.
1.
provisions. The Commissioner will be advised by a Personal Data Protection Advisory Committee who will be appointed by the
Minister, and will consist of one Chairman, three members from the public sector, and at least seven, but no more than eleven
other members. The appointment of the Personal Data Protection Advisory Committee will not exceed a term of three years;
however, members can be appointed for two successive terms.
The Commissioner’s decisions can be appealed through the Personal Data Protection Appeal Tribunal. The following are examples
of appealable decisions:
Decisions relating to the registration of data users under Part II Division 2 of the PDPA
The refusal of the Commissioner to register a code of practice under Section 23(5) of the PDPA
The service of an enforcement notice under Section 108 of the PDPA
The refusal of the Commissioner to vary or cancel an enforcement notice under Section 109 of the PDPA, or
The refusal of the Commissioner to conduct or continue an investigation that is based on a complaint under Part VIII of
the PDPA.
If a data user is not satisfied with a decision of the Personal Data Protection Advisory Committee, the data user may proceed to
file a judicial review of the decision in the Malaysian High Courts.
REGISTRATION
Currently, the PDPA requires the following classes of data users to register under the PDPA:
Communications
A licensee under the Communications and Multimedia Act 1998
A licensee under the Postal Services Act 2012
Banking and financial institution
A licensed bank and licensed investment bank under the Financial Services Act 2013
A licensed Islamic bank and licensed international Islamic bank under the Islamic Financial Services Act 2013
A development financial institution under the Development Financial Institution Act 2002
Insurance
A licensed insurer under the Financial Services Act 2013
A licensed takaful operator under the Islamic Financial Services Act 2013
A licensed international takaful operator under the Islamic Financial Services Act 2013
Health
A licensee under the Private Healthcare Facilities and Services Act 1998
A holder of the certificate of registration of a private medical clinic or a private dental clinic under the Private
Healthcare Facilities and Services Act 1998
A body corporate registered under the Registration of Pharmacists Act 1951
Tourism and hospitalities
A licensed person who carries on or operates a tourism training institution, licensed tour operator, licensed
travel agent or licensed tourist guide under the Tourism Industry Act 1992
A person who carries on or operates a registered tourist accommodation premises under the Tourism Industry
Act 1992
Transportation
Certain named transportations services providers
Education
A private higher educational institution registered under the Private Higher Educational Institutions Act 1996
A private school or private educational institution registered under the Education Act 1996
Direct selling
A licensee under the Direct Sales and Anti-Pyramid Scheme Act 1993
Services
A company registered under the Companies Act 1965 or a person who entered into partnership under the
Partnership Act 1961 carrying on business as follows:
legal
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malaysia 670 | | | www.dlapiperdataprotection.com
9.
1.
2.
3.
10.
1.
2.
3.
11.
1.
12.
1.
13.
1.
audit
accountancy
engineering
architecture
A company registered under the Companies Act 1965 or a person who entered into partnership under the
Partnership Act 1961, who conducts retail dealing and wholesale dealing as defined under the Control Supplies
Act 1961
A company registered under the Companies Act 1965 or a person who entered into partnership under the
Partnership Act 1961, who carries on the business of a private employment agency under the Private Employment
Agencies Act 1981
Real estate
A licensed housing developer under the Housing Development (Control and Licensing) Act 1966
A licensed housing developer under the Housing Development (Control and Licensing) Enactment 1978, Sabah
A licensed housing developer under the Housing Developers (Control and Licensing) Ordinance 1993, Sarawak
Utilities
Certain named utilities services providers
Pawnbroker
A licensee under the Pawnbrokers Act 1972
Moneylender
A licensee under the Moneylenders Act 1951
Certificates of registration are valid for at least one year, after which data users must renew registrations and may not continue to
process personal data.
Data users are also required to display their certificate of registration at a conspicuous place at their principal place of business,
and a copy of the certificate at each branch, where applicable.
The Commissioner may designate a body as a data user forum for a class of data users. Data user forums can prepare codes of
practice to govern compliance with the PDPA, which can be registered with the Commissioner. Once registered, all data users
must comply with the provisions of the code, and non-compliance violates the PDPA. As of December 15, 2020, the
Commissioner has published several codes of practice, including for the banking and financial sector, the aviation sector, the
utilities sector, communications sector and the insurance and takaful industry in Malaysia.
DATA PROTECTION OFFICERS
Currently, Malaysian law does not require that data users appoint a data protection officer.
However, pursuant to PC01/2020, the Commissioner is considering introducing an obligation in the PDPA for a data user to
appoint a data protection officer and to introduce a guideline pertaining to such appointments.
COLLECTION & PROCESSING
Under the PDPA, subject to certain exceptions, data users are generally required to obtain a data subject’s consent for the
processing (which includes collection and disclosure) of his or her personal data. Where consent is required from a data subject
under the age of eighteen, the data user must obtain consent from the parent, guardian or person who has parental responsibility
for the data subject. The consent obtained from a data subject must be in a form that such consent can be recorded and
maintained properly by the data user.
Pursuant to PC01/2020, the Commissioner has sought feedback on its proposal to amend the General Principle provision to add
clarity to the data subject’s consent, whether it should be in a specific provision and the impact of having a default consent.
Malaysian law contains additional data protection obligations, including, for example, a requirement to notify data subjects
regarding the purpose for which their personal data are collected and a requirement to maintain a list of any personal data
disclosures to third parties.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malaysia 671 | | | www.dlapiperdataprotection.com
On December 23, 2015, the Commissioner published the Personal Data Protection Standard 2015 (“Standards”), which set out
the Commission’s minimum requirements for processing personal data. The Standards include the following:
Security Standard For Personal Data Processed Electronically
Security Standard For Personal Data Processed Non-Electronically
Retention Standard For Personal Data Processed Electronically And Non-Electronically
Data Integrity Standard For Personal Data Processed Electronically And Non-Electronically
TRANSFER
Under the PDPA, a data user may not transfer personal data to jurisdictions outside of Malaysia unless that jurisdiction has been
specified by the Minister. However, there are exceptions to this restriction, including the following:
The data subject has given his or her consent to the transfer.
The transfer is necessary for the performance of a contract between the data subject and the data user.
The data user has taken all reasonable steps and exercised all due diligence to ensure that the personal data will not be
processed in a manner that would contravene the PDPA.
The transfer is necessary to protect the data subject’s vital interests.
In 2017, the Commissioner published a draft Personal Data Protection (Transfer of Personal Data to Places Outside Malaysia)
Order 2017 to obtain public feedback on the proposed jurisdictions to which personal data from Malaysia may be transferred. As
of December 15, 2020, the Minister has yet to approve the safe harbor jurisdictions. Once approved, a data user may transfer
personal data to these safe harbor jurisdictions without having to rely on the data subject’s consent or other prescribed
exceptions under the PDPA.
Pursuant to PC01/2020, the Commissioner acknowledged that a clear provision and the conditions for transferring personal data
to places outside Malaysia are essential to facilitate e-commerce transactions and free trade agreements, and opined that a
whitelist appears to curb and set a barrier for data users to transfer personal data to places outside Malaysia. In view of this, the
Commissioner is considering restructuring the provision on cross border transfers under the PDPA and removing the whitelist
provision.
In addition, the Commissioner also acknowledged that data users with overseas branches may need to exchange information with
its branches at some point. The Commissioner is considering issuing a guideline on the mechanism and implementation of cross
border data transfer and has sought feedback on the important matters to be considered in the proposed guideline.
SECURITY
Under the PDPA, data users have an obligation to take ‘practical’ steps to protect personal data, and in doing so, must develop
and implement a security policy. The Commissioner may also, from time to time, set out security standards with which the data
user must comply, and the data user is required to ensure that its data processors comply with these security standards.
In addition, the Standards provide separate security standards for personal data processed electronically and for personal data
processed non-electronically (among others) and require data users to have regard to the Standards in taking practical steps to
protect the personal data from any loss, misuse, modification, unauthorized or accidental access or disclosure, alteration or
destruction.
Pursuant to PC01/2020, the Commissioner observed that there are many new technologies such as facial recognition and smart
trackers being used as data collection endpoints, and thus is considering issuing a policy regarding the endpoint security which uses
technologies such as encryption.
BREACH NOTIFICATION
There is no requirement under the PDPA for data users to notify authorities regarding data breaches in Malaysia though there
appears to be a voluntary data breach notification option available on the Personal Data Protection Department’s website. News
reports dated October 5, 2018 suggest that Malaysia’s laws could be updated, to include data breach notification requirements
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malaysia 672 | | | www.dlapiperdataprotection.com
modeled after those under the European Union’s General Data Protection Regulation (GDPR), including requiring providing notice
to government authorities.
In addition, a news report dated March 20, 2019 reported that the Office of Personal Data Protection Malaysia’s deputy
commissioner, Rosmahyuddin Baharuddin, has also indicated that data breach notification is something that Malaysia is “seriously
considering”.
Notably, one of the issues for which feedback is sought in P01/2020 include reporting of data breaches. The points to be
considered include, the proposed mandatory data breach notification, the impact of having all data users report about the data,
and the elements to be considered in the guideline on data breach incident reporting.
ENFORCEMENT
Under the PDPA, the Commissioner is empowered to implement and enforce the personal data protection laws and to monitor
and supervise compliance with the provisions of the PDPA. Under the Personal Data Protection Regulations 2013, the
Commissioner has the power to inspect the systems used in personal data processing and the data user is required, at all
reasonable times, to make the systems available for inspection by the Commissioner or any inspection officer. The Commissioner
or the inspection officers may require the production of the following during inspection:
The record of the consent from a data subject maintained in respect of the processing of that data subject’s personal data
by the data user
The record of required written notices issued by the data user to the data subject
The list of personal data disclosures to third parties
The security policy developed and implemented by the data user
The record of compliance with data retention requirements
The record of compliance with data integrity requirements, and
Such other related information which the Commissioner or any inspection officer deems necessary
Violations of the PDPA and certain provisions of the Personal Data Protection Regulations 2013 are punishable with criminal
liability. The prescribed penalties include fines, imprisonment or both. Directors, CEOs, managers or other similar officers will
have joint and several liability for non-compliance by the body corporate, subject to a due diligence defense.
There is no express right under the PDPA allowing aggrieved data subjects to pursue a civil claim against data users for breaches
of the PDPA.
However, under PCP 01/2020, the Commissioner has proposed to introduce a specific provision stating the right of a data subject
to commence civil litigation against a data user.
ELECTRONIC MARKETING
The PDPA applies to electronic marketing activities that involve the processing of personal data for the purposes of commercial
transactions. There are no specific provisions in the PDPA that deal with electronic marketing. However, the PDPA provides that
a data subject may, at any time by notice in writing to a data user, require the data user at the end of such period as is reasonable
in the circumstances to cease or not to begin processing his or her personal data for direct marketing purposes. ‘Direct marketing’
means the communication by whatever means of any advertising or marketing material that is directed to particular individuals.
Pursuant to PCP 01/2020. the Commissioner is considering issuing a guideline to data users on the mechanism of digital and
electronic marketing. The Commissioner has sought feedback on a proposed requirement on data users to provide a clear
mechanism for data subjects to unsubscribe from online services and the elements to be considered in preparing the guideline on
processing personal data in digital and electronic marketing.
The Commissioner is also considering issuing a guideline on the implementation of direct marketing for data users. Feedback from
the public is sought as to whether a proposed data user is allowed to make the first direct marketing call to the data subject, the
use of the ‘opt-out’ method, and the important elements to be considered in the preparation of such guideline.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malaysia 673 | | | www.dlapiperdataprotection.com
ONLINE PRIVACY
There are no provisions in the PDPA that specifically address the issue of online privacy (including cookies and location data).
However, any electronic processing of personal data in Malaysia will be subject to the PDPA and the Commissioner may issue
further guidance on this issue in the future.
KEY CONTACTS
Skrine
www.skrine.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Jillian Chia
Partner
Skrine
T + 603 2081 3882
jc@skrine.com
https://www.dlapiperdataprotection.com
https://www.skrine.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 674 | | | www.dlapiperdataprotection.com
MALTA
Last modified 21 February 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However,
there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own
domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the
Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The relevant law is the Data Protection Act 2018 (Act) (Chapter 586 of the Laws of Malta) and the Regulations (at
present 8 in number) issued under it. The Act repealed and replaced the previous Data Protection Act (Chapter 440 of
the Laws of Malta).
In 2020, Subsidiary Legislation 586.10 (‘Processing Of Data Concerning Health for Insurance Purposes Regulations’) was
significantly amended. Pursuant to Article 9 of the GDPR, it was made explicit that processing of data concerning health
shall be deemed to be in the substantial public interest when such processing is necessary for the purpose of the
business of insurance or insurance distribution activities. However, this is made subject to suitable and specific measures
designed to safeguard the fundamental rights and freedoms of data subjects.
The main legislative amendments that came into effect in 2021 were those to Subsidiary Legislation 586.07 (Processing of
Personal Data (Education Sector) Regulations). The main purpose of these amendments was to bring the terminology used
in these regulations in line with the wording of the GDPR rather than the previous local law. The full text, in English, is
available .here
In 2021, certain procedural amendments were also made to the Act. The amending act (having the aim of providing for
the amendment of various laws for the purpose of reforming the procedure for the making of various appointments) can
https://www.dlapiperdataprotection.com
https://legislation.mt/eli/sl/586.7/eng
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 675 | | | www.dlapiperdataprotection.com
be read .here
See all .Maltese Legislation here
DEFINITIONS
Personal data is defined as ” ” (Article 4). A low bar is set forany information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the of personal data. Processing has an extremely wide meaning, and includes any set ofprocessing
operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a or a . The controller is the decision maker, the person who “controller processor
” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The Data Protection Act reproduces the definitions provided by Article 4, GDPR.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of . Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called lead supervisory authority (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other concerned authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The Information and Data Protection Commissioner (Commissioner). Informally, the Office of the Information and Data
Protection Commissioner (OIDPC).
https://www.dlapiperdataprotection.com
https://legislation.mt/eli/act/2021/12/eng
https://legislation.mt/Legislation
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 676 | | | www.dlapiperdataprotection.com
Level 2, Airways House
Second Floor
High Street
Sliema SLM 1549
Malta
T: +356 2328 7100
F: +356 23287198
idpc.info@idpc.org.mt
www.idpc.org.mt
The Commissioner has the function (among others) of generally protecting individuals’ data protection rights against
privacy violations in personal data processing.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
Under Article 7 of the Maltese DPA, data controllers must consult and gain prior authorization from the Commissioner
to process in the public interest: genetic data, biometric data or data concerning health for statistical or research purposes
or special categories of data relating to the management of social care services and systems.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have expert knowledge (Article 37(5)) of data protection law and practices, though it is possible to outsource the
DPO role to a service provider (Article 37(6)).
https://www.dlapiperdataprotection.com
http://www.idpc.org.mt/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 677 | | | www.dlapiperdataprotection.com
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
The Act does not derogate or further regulate from the provisions of the GDPR in this regard.
However, (where Commissioner has jurisdiction) by sending, even viaDPOs must be notified to the Commissioner
email, the following basic information:
Data Controller identity
name of DPO
position
mailing address
email address
contact number
nature of business
date of appointment, and
whether the DPO is fulfilling this role for other data controllers.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (purpose limitation principle)
Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
Accurate and where necessary kept up-to-date (accuracy principle)
Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (storage limitation principle)
Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (integrity and confidentiality principle)
The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle).
Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and
appropriate governance will all form a key role in achieving accountability.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 678 | | | www.dlapiperdataprotection.com
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
With the consent of the data subject (where consent must be ” ” and must befreely given, specific, informed and unambiguous,
capable of being withdrawn at any time)
Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract
Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies)
Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller
Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
With the explicit consent of the data subject
Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement
Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent
In limited circumstances by certain not-for-profit bodies
Where processing relates to the personal data which are manifestly made public by the data subject
Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in
their legal capacity
Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards
Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices
Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1)
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorised by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to re-purpose personal data – use data collected for one purpose for a new purpose which wasie,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 679 | | | www.dlapiperdataprotection.com
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
Any link between the original purpose and the new purpose
The context in which the data have been collected
The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions
are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
The possible consequences of the new processing for the data subjects
The existence of appropriate safeguards, which may include encryption or pseudonymization
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
The identity and contact details of the controller
The data protection officer’s contact details (if there is one)
Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing
The recipients or categories of recipients of the personal data
Details of international transfers
The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability
Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
The consequences of failing to provide data necessary to enter into a contract
The existence of any automated decision making and profiling and the consequences for the data subject
In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 680 | | | www.dlapiperdataprotection.com
a.
b.
c.
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision taking, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
Necessary for entering into or performing a contract
Authorized by EU or Member State law
The data subject has given their explicit ( opt-in) consentie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The position under the Maltese Data Protection Act, 2018
The Act states that controllers and processors may derogate from the provisions of Articles 15, 16, 18 and 21 of the
GDPR for the processing of personal data for scientific or historical research purposes or official statistics insofar as the
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 681 | | | www.dlapiperdataprotection.com
1.
2.
exercise of the rights set out in those Articles:
Is likely to render impossible or seriously impair the achievement of those purposes, and
The data controller reasonably believes that such derogations are necessary for the fulfilment of those purposes.
Controllers and processors may also derogate from the obligations of Articles 15, 16, 18, 19, 20 and 21 of the GDPR for
archiving purposes in the public interest. The same criteria ((1) and (2) above) must subsist for this derogation to apply.
Article 8 of the Act stipulates that an identity document shall only be processed when such processing is justified having
regards to the purpose of processing and (1) the importance of a secure identification; or (2) any other valid reason as
may be provided by law.
Personal data being processed for the purpose of exercising the right to freedom of expression and information, including
processing for journalistic purposes or for the purpose of academic, artistic or literary expression, is exempt from
compliance with the provisions of the GDPR (listed below), where, having regard to the right of freedom of expression
and information in a democratic society, compliance with the following provisions would be incompatible with such
processing purposes:
a. Chapter II (Principles)
Article 5(1)(a) to (e) (principles relating to processing)
Article 6 (lawfulness)
Article 7 (conditions for consent)
Article 10 (data relating to criminal convictions, etc.)
Article 11(2) (processing not requiring identification)
b. Chapter III (rights of the data subject)
Article 13(1) to (3) (personal data collected from data subject: information to be provided)
Article 14(1) to (4) (personal data collected other than from the data subject)
Article 15(1) to (3) (access to data and safeguards for third country transfers)
Article 17(1) and (2) (right to erasure)
Article 18(1)(a), (b) and (d) (restriction of processing)
Article 20(1) and (2) (right to data portability)
Article 21(1) (objections to processing)
c. Chapter IV (controller and processor)
Article 25 (data protection by design and by default)
Article 27 (representatives of controllers or processors not established in the Union)
Article 30 (records of processing activities)
Article 33 (notification of personal data breach to supervisory authority)
Article 34 (communication of personal data breach to the data subject)
Article 42 (certification)
Article 43 (certification bodies)
d. Chapter VII (co-operation and consistency)
Articles 60 to 62 (co-operation)
Articles 63 to 67 (consistency)
Important note regarding age of consent: The processing of personal data of a child in relation to information
society services has been lowered from eighteen (18) to thirteen (13) years of age by means of the ‘Processing of
Children’s Personal Data in Relation to the Offer of Information Society Services Regulations’ (Subsidiary Legislation
586.11 issued under the Data Protection Act 2018). It is important to note that the age of consent for valid contract
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 682 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
formation in Malta remains 18 years of age. This grey area is still subject to local authoritative interpretation. We are not
aware of any such interpretations at time of writing.
Finally, in certain circumstances, the collection and processing of personal data are further regulated by local
sector-specific regulations. By way of example, medical data relating to students can only be processed under specific
conditions.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes, among others, binding corporate rules, standard contractual clauses, and the EU-US Privacy Shield
Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in
some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
Explicit informed consent has been obtained
The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person
The transfer is necessary for important reasons of public interest
The transfer is necessary for the establishment, exercise or defense of legal claims
The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
The transfer is made from a register, which according to EU or Member State law, is intended to provide information to
the public, subject to certain conditions
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State (transfers in response to such requests where there is
no other legal basis for transfer will infringe the GDPR).
The Act does not derogate or further regulate from the provisions of the GDPR in this regard.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 683 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing
The Act does not derogate or further regulate from the provisions of the GDPR in this regard.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The Act does not derogate or further regulate from the provisions of the GDPR in this regard.
The application form to be used when notifying data breaches to the OIDPC can be .accessed here
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
https://www.dlapiperdataprotection.com
https://idpc.org.mt/report-a-breach/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 684 | | | www.dlapiperdataprotection.com
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
The basic principles for processing including conditions for consent
Data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
Any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 685 | | | www.dlapiperdataprotection.com
The position under the Maltese Data Protection Act, 2018
Appealing against a decision of the Commissioner
Any person against whom an administrative fine has been imposed by the Commissioner may appeal to the Data
Protection Appeals Tribunal within 20 days from service of the Commissioner’s decision imposing such fine. An appeal to
the Tribunal may be made on any of the following grounds:
That a material error as to the facts has been made
That there was a material procedural error
That an error of law has been made
That there was some material illegality, including unreasonableness or lack of proportionality
Within 2 days of filing an appeal, the Registry of the Tribunal shall:
Serve a copy of the appeal on the Commissioner and request that he or she file a statement on the decision,
together with any other information on which the decision was based within 20 days from the date on which the
appeal was served
Serve a copy of the appeal on the respondent(s) to the appealed decision, and request the respondent(s) file a
reply within 20 days of service of the appeal
Appealing against a decision of the Data Protection Appeal Tribunal
Any party to an appeal before the Tribunal may appeal to the Court of Appeal by means of an application filed in the
registry of that court within 20 days from the date on which the decision of the Tribunal was notified.
Fines against a public authority or body
The Commissioner may impose an administrative fine on a public authority or body of up to EUR 25,000 for each
violation and an additional EUR 25 for each day during which such violation persists for an infringement under Article
83(4) of the GDPR. The fine that the Commissioner may impose on a public authority or body for an infringement of
Article 83(5) or (6) of the GDPR shall not exceed EUR 50,000 for each violation and additionally EUR 50 for each day
during which such violation persists.
Any person who knowingly provides false information to the Commissioner when so requested or who does not comply
with any lawful request pursuant to an investigation by the Commissioner, shall be guilty of an offence and upon
conviction shall be liable to a fine ( ) of not less than EUR 1,250 and not more than EUR 50,000 or to imprisonmentmulta
for six months.
Actions against a controller/processor
Without prejudice to any other available remedy, a person who believes that his or her rights under the GDPR or the Act
have been infringed may file a sworn application in the First Hall Civil Court for an effective judicial remedy and in the
same way may also institute an action for damages against the controller or processor who processes personal data in
contravention of the provisions of the GDPR or this Act. If the court finds that the controller or processor is liable for
damage caused pursuant to Article 82 of the GDPR, the court shall determine the amount of damages including, but not
limited to, , due to the data subject.moral damages
Any action under Article 30 of this Act shall be instituted within 12 months from when the data subject became aware or
should have reasonably become aware of such a contravention, whichever is earlier.
ELECTRONIC MARKETING
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 686 | | | www.dlapiperdataprotection.com
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The Act applies also to most electronic marketing activities since in the course of such activities, it is likely that ‘personal
data’ as defined above (including email) will be ‘processed’ as understood by the Act. In relation to direct marketing (even
electronic), consent may be revoked at will by the data subject(s).
The controller is legally bound to inform the data subject that he or she may oppose such processing at no cost.
Apart from the Act, the ‘Processing of Personal Data (Electronic Communications Sector) Regulations’ (Subsidiary
Legislation 586.01 issued under the Data Protection Act 2018) (the Electronic Communications Regulations) address a
number of activities relating specifically to electronic marketing.
In the case of subscriber directories, the producer of such directories shall ensure (without charge to the subscriber) that
before any personal data relating to the subscriber (who must be a natural person) is inserted in the directory, the
subscriber is informed about the purposes of such a directory of subscribers and its intended uses (including information
regarding search functions embedded in the electronic version of the directories). No personal data shall be included
without the consent of the subscriber. In furnishing his consent the subscriber shall determine which data is to be included
in the directory and is free to change, alter or withdraw such data at a later date. The personal data used in the directory
must be limited to what is necessary to identify the subscriber and the number allocated to him, unless the subscriber has
given additional consent authorizing the inclusion of additional personal data.
The Electronic Communications Regulations also deal with the issue of unsolicited communications. A person is
prohibited from using any publicly available electronic communications service to engage in unsolicited communications
for the purpose of direct marketing by means of:
An automatic calling machine
A facsimile machine
to a subscriber, irrespective of whether such subscriber is a natural person or a legal person, unless the subscriber has
given his prior explicit consent in writing to the receipt of such a communication.
By way of exception to the above (informally known as the ‘soft opt-in’ rule), where a person has obtained from his
customers their contact details for email in relation to the sale of a product or a service, in accordance with the Act that
same person may use such details for direct marketing of its own similar products or services. However, the customers
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 687 | | | www.dlapiperdataprotection.com
must be given the opportunity to object, free of charge and in an easy and simple manner, to such use of electronic
contact details when they are collected and on the occasion of each message where the customer has not initially refused
such use.
In all cases the practice of, inter alia, sending email for the purposes of direct marketing, disguising or concealing the
identity of the sender or without providing a valid address to which the recipient may send a request that such
communications cease, shall be prohibited.
The Act does not change the position under the previous Data Protection Act (Chapter 440) and does not introduce
derogations from the provisions of the GDPR in this regard. The proposed ePrivacy Regulation would need to be analyzed
separately.
ONLINE PRIVACY
Cookie Compliance
Subsidiary Legislation 586.01, entitled ‘Processing of Personal Data (Electronic Communications Sector) Regulations’ amended the
regulations implementing Article 2(5) of Directive 2009/136/EC into Maltese Law.
The Commissioner has recently published a “ ” which can be read . Guidance Note on Cookies Consent Requirements here
Traffic Data
Under the Processing of Personal Data (Electronic Communications Sector) Regulations, traffic data relating to subscribers and
users processed by an undertaking which provides publicly available electronic communications services or which provides a public
communications network, must be erased or made anonymous when no longer required for the purpose of transmitting a
communication.
Traffic data required for the purpose of subscriber billing or interconnection payments may be retained, provided however, that
data retention is permissible only up to the period that a bill may lawfully be challenged or payment pursued.
Traffic data may be processed where the aim is to market or publicize the provision of a value-added service, however, the
processing of such data shall only be permissible to the extent and for the duration necessary to render such services.
Processing of traffic data is also permissible by an undertaking providing publicly available electronic communication for the
following purposes:
Managing billing or traffic management
Customer inquiries
Fraud detection
Rendering of value-added services
The Act does not introduce any new rules in this regard.
Location Data
Where location data (other than traffic data) relating to users or subscribers of public communications networks or of publicly
available electronic communications services can be processed, such data may only be processed when it is made anonymous or
with the consent of the users or subscribers, to the extent and for the duration necessary for the provision a value-added service.
Prior to obtaining user or subscriber consent, the undertaking providing the service shall inform them of the following:
The type of location data which shall be processed
The purpose and duration of processing
Whether the processed data shall be transmitted to a third party for the purpose of providing the value-added service
https://www.dlapiperdataprotection.com
https://idpc.org.mt/idpc-publications/guidance-note-on-cookies-consent-requirements/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Malta 688 | | | www.dlapiperdataprotection.com
A user or subscriber may withdraw consent for the processing of such location data (other than traffic data) at any time.
The Act does not change the previous position and does not derogate from the GDPR or further regulate in this regard.
KEY CONTACTS
Mamo TCV Advocates
www.mamotcv.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dr. Claude Micallef-Grimaud
Partner
Mamo TCV Advocates
T +356 25 403 000
claude.micallefgrimaud@mamotcv.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mauritius 689 | | | www.dlapiperdataprotection.com
MAURITIUS
Last modified 21 February 2022
LAW
Mauritius regulates data protection under the Data Protection Act 2017 (DPA 2017 or Act), proclaimed through Proclamation
No. 3 of 2018 and effective on January 15, 2018. The Act repeals and replaces the Data Protection Act 2004, so as to align with
the European Union General Data Protection Regulation 2016/679 (GDPR).
DEFINITIONS
Definition of personal data
Personal data is defined as any information relating to a data subject. A data subject is a natural person who is identified or
identifiable, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
Definition of sensitive personal data or special categories of personal data
Similar to the GDPR, the DPA 2017 refers to sensitive personal data as special categories of data. Special categories of data
include personal data pertaining to any of the following about a data subject:
Racial or ethnic origin
Political opinion or adherence
Religious or philosophical beliefs
Membership of a trade union
Physical or mental health or condition
Sexual orientation, practices or preferences
Genetic or biometric data that is uniquely identifying
Commission or proceedings related to the commission of a criminal offense
Such other personal data as the Commissioner may determine to be sensitive personal data
NATIONAL DATA PROTECTION AUTHORITY
Under DPA 2017, the Data Protection Office (DPO) is responsible for data protection oversight. The DPO is an independent and
impartial public office that is not subject to the control or direction of any person or authority. The DPO is headed by the Data
Protection Commissioner (Commissioner), with the assistance of public officers as may be necessary. The contact details of the
DPO are:
Data Protection Office
5th Floor, SICOM Tower
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mauritius 690 | | | www.dlapiperdataprotection.com
Wall Street, Ebene
Republic of Mauritius
Telephone
+230 460 0251
Fax
+230 489 7341
Website
dataprotection.govmu.org/
dpo@govmu.org
dpo2@govmu.org
REGISTRATION
Every person who intends to act as a data controller or a data processor (as defined below) must register with the Commissioner
in a form approved by the Commissioner and is required to pay a prescribed registration fee. The Commissioner is authorized to
approve applications and issue registration certificates, which are valid for three years.
Data processors and controllers must renew their registration within three months prior to the date that their registration
expires. Failure to register or renew registration constitutes an offence under the Act, punishable by a fine not exceeding 200,000
or imprisonment for a term not to exceed five years.
A data controller is a person or public body who alone, or jointly with others, determines the purposes and means of personal
data processing, and who has decision making power with respect to processing. A data processor is a person or public body who
processes personal data on behalf of a controller.
Application for registration
Every registration application must include all of the following:
Name and address
Whether a representative has been nominated for the purposes of the Act, and the name and address of the
representative
A description of the personal data to be processed by the controller or processor, and of the category of data subjects, to
which the personal data relate
A statement as to whether data controller or processor holds, or is likely to hold, special categories of personal data
A description of the purpose for which the personal data are to be processed
A description of any recipient to whom the controller intends or may wish to disclose the personal data
The name, or a description of, any country to which the proposed controller intends or may wish, directly or indirectly,
to transfer, the data
A general description of the risks, safeguards, security measures and mechanisms to ensure the protection of the personal
data
A controller or processor who knowingly supplies false or misleading material information in their registration application
commits an offense and could be held liable to a fine not to exceed 100,000 or imprisonment for a term not to exceed five years.
DATA PROTECTION OFFICERS
https://www.dlapiperdataprotection.com
http://dataprotection.govmu.org/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mauritius 691 | | | www.dlapiperdataprotection.com
The DPA 2017 provides that every controller shall adopt policies and implement appropriate technical and organizational
measures so as to ensure and be able to demonstrate that the processing of personal data is performed in accordance with the
Act.
One of such measures is the mandatory requirement for the designation of a data protection officer (DPO) by all controllers and
processors.
There can be one DPO for a group of companies, provided he is accessible for each company within the group.
The DPO can be an employee of the Controller / Processor, provided that there is no conflict of interest (if such position leads to
the determination of purposes and means of processing) such as in the case of a chief executive, chief operating, chief financial,
chief medical, head of marketing, head of human resource or head of IT.
The DPO can also be someone from outside the organisation.
The DPO needs to have professional experience and knowledge of data protection laws and standards.
The Controller / Processor is required to ensure that the DPO does not receive any instructions regarding the exercise of his
functions-he should work in an independent environment and manner.
Role of DPO
The role of the DPO is to:
advise the controller / processor and its employees about their obligations to comply with Data Protection Laws and
monitor compliance;
train staff and conduct internal audits;
advise on DPIAs;
maintain a record of processing operations under his responsibility;
be the first point of contact for the Data Protection Office and for individuals whose data are processed (employees,
customers).
DPOs are not personally responsible for non-compliance with data protection requirements. Data protection compliance is the
responsibility of the controller / processor.
COLLECTION & PROCESSING
Subject to exceptions provided under the Act, a controller cannot collect personal data unless the collection (a) is for a lawful
purpose connected with a function or activity of the data controller, and (b) the collection is necessary for that purpose.
Where the data controller collects personal data directly from the data subject, the data controller shall at the time of collecting
personal data ensure that the data subject concerned is informed of:
The identity and contact details of the controller and, where applicable, its representative and any data protection officer
The purpose for which the data are being collected
The intended recipients of the data
Whether or not the supply of the data by that data subject is voluntary or mandatory
The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on
consent before its withdrawal
The existence of the right to request from the controller access to and rectification, restriction or erasure of personal
data concerning the data subject or to object to the processing
The existence of automated decision making, including profiling, and information about the logic involved, as well as the
significance and the envisaged consequences of such processing for the data subject
The period for which the personal data shall be stored
The right to lodge a complaint with the Commissioner
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mauritius 692 | | | www.dlapiperdataprotection.com
Where applicable, that the controller intends to transfer personal data to another country and on the level of suitable
protection afforded by that country
Any further information necessary to guarantee fair processing in respect of the data subject’s personal data, having regard
to the specific circumstances in which the data are collected
Where data is not collected directly from the data subject concerned, the data controller or any person acting on his behalf shall
ensure that the data subject is informed of the matters set out above.
There are six principles relating to the processing of personal data which are enumerated in the Act. Accordingly, every controller
or processor need to ensure that personal data are:
Processed lawfully, fairly and in a transparent manner in relation to any data subject
Collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those
purposes
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
Accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate
personal data are erased or rectified without delay
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the
personal data are processed, and
Processed in accordance with the rights of data subjects
For processing of data to be lawful, it must have a legal basis. One of the legal basis is consent. According to the DPA 2017, no
person shall process personal data unless the data subject consents to the processing for one or more specified purposes.
Consent is defined under the Act as any freely given, specific, informed and an unambiguous indication of the wishes of a data
subject, either by a statement or a clear affirmative action, by which he signifies his agreement to personal data relating to him
being processed.
Processing shall also be lawful, when the processing is necessary for any of the following:
The performance of a contract to which the data subject is a party or in order to take steps at the request of the data
subject before entering into a contract
Compliance with any legal obligation to which the controller is subject
In order to protect the vital interests of the data subject or another person
The performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
The performance of any task carried out by a public authority
The exercise, by any person in the public interest, of any other functions of a public nature
The legitimate interests pursued by the controller or by a third party to whom the data are disclosed, except if the
processing is unwarranted in any particular case having regard to the harm and prejudice to the rights and freedoms or
legitimate interests of the data subject
The purpose of historical, statistical or scientific research
Special categories of personal data
Special categories of personal data, as defined above, cannot be processed unless the processing is based on one of the legal basis
as described above and the processing is carried out in the course of the controller’s / processor’s legitimate activities with
appropriate safeguards.
It is also possible to process special categories of personal data when:
Processing relates to personal data which are manifestly made public by the data subject; or
Processing is necessary for:
the establishment, exercise or defense of a legal claim;
the purpose of preventive or occupational medicine, for the assessment of the working capacity of an employee,
medical diagnosis, the provision of health or social care or treatment or the management of health or social care
systems and services or pursuant to a contract with a health professional subject to the obligation of professional
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mauritius 693 | | | www.dlapiperdataprotection.com
secrecy;
the purpose of carrying out the obligations and exercising specific rights of the controller or of the data subject;
or
protecting the vital interests of the data subject or of another person where the data subject is physically or
legally incapable of giving consent.
TRANSFER
A controller or processor may transfer personal data to another country where any of the following apply:
It has provided to the Commissioner proof of appropriate safeguards with respect to the protection of the personal data;
or
The data subject has given explicit consent to the proposed transfer, after having been informed of the possible risks of
the transfer owing to the absence of appropriate safeguards; or
The transfer is necessary: (i) for the performance of a contract between the data subject and the controller or the
implementation of pre-contractual measures taken at the data subject’s request; (ii) for the conclusion or performance of
a contract concluded in the interest of the data subject between the controller and another person; (iii) for reasons of
public interest as provided by law; (iv) for the establishment, exercise or defense of a legal claim; or (v) in order to
protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable
of giving consent; or (vi) for the purpose of compelling legitimate interests pursued by the controller or the processor
which are not overridden by the interests, rights and freedoms of the data subjects involved and where – (A) the transfer
is not repetitive and concerns a limited number of data subjects; and (B) the controller or processor has assessed all the
circumstances surrounding the data transfer operation and has, based on such assessment, provided to the Commissioner
proof of appropriate safeguards with respect to the protection of the personal data; or
The transfer is made from a register which, according to law, is intended to provide information to the public and which is
open for consultation by the public or by any person who can demonstrate a legitimate interest, to the extent that the
conditions laid down by law for consultation are fulfilled in the particular case. Such transfer shall not involve the entirety
of the personal data or entire categories of the personal data contained in the register and, where the register is intended
for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or
in case they are to be the recipients.
The Commissioner may request a person who transfers data to another country to demonstrate the effectiveness of the
safeguards or the existence of compelling legitimate interests and may, in order to protect the rights and fundamental freedoms of
data subjects, prohibit, suspend or subject the transfer to such conditions as he may determine.
SECURITY
Under the DPA 2017, a controller or processor must, at the time of the determination of the means for processing and at the
time of the processing, implement and maintain appropriate security and organizational measures for the prevention of
unauthorized access to, alteration, disclosure or destruction of, or the accidental loss of the personal data.
Additionally, the controller or processor must ensure that measures provide a level of security appropriate to the harm that may
result from the unauthorized access to, alteration, disclosure or destruction of, or the accidental loss of the personal data and the
nature of the personal data concerned.
The measures referred to above shall include all of the following:
The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing
In determining the appropriate security measures, in particular, where the processing involves the transmission of data over an
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mauritius 694 | | | www.dlapiperdataprotection.com
information and communication network, a data controller shall have regard to the:
State of technological development available
Cost of implementing any of the security measures
Special risks that exist in the processing of the data, and
Nature of the data being processed
Where a controller is using the services of a processor – (a) the controller must choose a processor that is able to provide
sufficient guarantees in respect of security and organizational measures for the purpose of complying with the security measures
described above; and (b) the controller and the processor shall enter into a written contract which shall provide that – (i) the
processor shall act only on instructions received from the controller; and (ii) the processor shall be bound by obligations of the
controller as regards security measures to be taken.
If the purpose for keeping personal data has lapsed, the controller must destroy such data as soon as reasonably practicable and
notify any data processor holding such data, who in turn must destroy the data specified by the controller as soon as is reasonably
practicable.
Every controller or processor has to take all reasonable steps to ensure that any person employed by him or it is aware of, and
complies with, the relevant security measures.
BREACH NOTIFICATION
Under the DPA 2017, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
A controller must without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the
personal data breach to the Commissioner. Where the Controller fails to notify the personal data breach within the 72 hours
time limit, he should provide the Commissioner with the reasons for the delay. Where a processor becomes aware of a personal
data breach, he shall notify the controller without undue delay.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of a data subject, the controller shall also
communicate the personal data breach to the data subject without undue delay.
The communication of a personal data breach to the data subject shall not be required where:
the controller has implemented appropriate technical and organisational protection measures, and those measures were
applied to the personal data affected by the breach, in particular, those that render the data unintelligible to any person
who is not authorised to access it, such as encryption;
the controller has taken subsequent measures to ensure that the high risk to the rights and freedoms of the data subject
referred above is no longer likely to materialise; or
it would involve disproportionate effort and the controller has made a public communication or similar measure whereby
data subject is informed in an equally effective manner.
ENFORCEMENT
The DPA 2017 provides the Commissioner with enforcement authority. Where a complaint is made to the Commissioner that
the Act or any regulations made under it, has or have been, is or are being, or is or are about to be, contravened, the
Commissioner shall:
investigate into the complaint or cause it to be investigated by an authorized officer, unless he is of the opinion that the
complaint is frivolous or vexatious; and
where he is unable to arrange, within a reasonable time, for the amicable resolution by the parties concerned of the
complaint, notify, in writing, the individual who made the complaint of his decision in relation to it so that the individual
may, where he considers that he is aggrieved by the decision, appeal against it to the ICT Appeal Tribunal.
If the Commissioner is of the opinion that a controller or a processor has contravened, is contravening or is about to contravene
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mauritius 695 | | | www.dlapiperdataprotection.com
the DPA 2017, the Commissioner may serve an enforcement notice on the data controller or processor, requiring remedial
efforts within a specified time frame.
A person who, without reasonable excuse, fails or refuses to comply with an enforcement notice commits an offense, and, on
conviction, is liable to a fine not to exceed 50,000 Mauritian rupees and to imprisonment for a term not to exceed two years.
If the Commissioner has reasonable grounds to believe that data is vulnerable to loss or modification, she may make an application
to a Judge in Chambers for an order for the expeditious preservation of such data.
The Commissioner may also carry out periodical audits of the systems and security measures of data controllers or data
processors to ensure compliance with data protection principles laid down in the DPA 2017.
ELECTRONIC MARKETING
The Act regulates direct marketing, which is defined as the communication of any advertising or marketing material which is
directed to any particular individual. The definition also encompasses electronic marketing.
The data subject may object to the processing of his or her personal data for purposes of direct marketing, including profiling to
the extent relevant. Where a data subject objects to processing, his or her personal data may no longer be processed for that
purpose. This right to object shall be explicitly brought to the attention of the data subject.
ONLINE PRIVACY
The Act applies to online privacy, though it does not contain specific provisions in relation to online privacy.
KEY CONTACTS
Juristconsult Chambers
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Shalinee Dreepaul Halkhoree
Partner-Barrister
Juristconsult Chambers
T +230 465 00 20 Extension 225
sdreepaul@juristconsult.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mexico 696 | | | www.dlapiperdataprotection.com
MEXICO
Last modified 24 January 2022
LAW
The Federal Law on the Protection of Personal Data held by Private Parties (Ley Federal de Protección de Datos Personales en
Posesión de los Particulares) (“the Law”) entered into force on July 6, 2010.
Subsequently, the Executive Branch has also issued the following (collectively, with the Law, referred to herein as “Mexican Privacy
Laws”):
The Regulations to the Federal Law on the Protection of Personal Data held by Private Parties (Reglamento de la Ley
Federal de Protección de Datos Personales en Posesión de los Particulares) (the Regulations), which entered into force on
December 22, 2011
The Privacy Notice Guidelines (the Guidelines), which entered into force on April 18, 2013
The Recommendations on Personal Data Security, on November 30, 2013
The Parameters for Self-Regulation regarding personal data, which entered into force on May 30, 2014
The General Law for the Protection of Personal Data in Possession of Obligated Subjects (Ley General de Protección de
Datos Personales en Posesión de Sujetos Obligados), which entered into force on January 27, 2017
On June 12, 2018, a decree was published in the Official Gazette of the Federation approving two important documents:
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data dated January 28,
1981, and its
Additional Protocol regarding supervisory authorities and trans-border data flows dated November 8, 2001.
Mexican Privacy Laws apply to all personal data processing under any of the following circumstances:
Processing carried out by a data controller established in Mexican territory
Processing carried out by a data processor, regardless of its location, if the processing is performed on behalf of a data
controller established in Mexico
Processing by or on behalf of a data controller not located in Mexico, where Mexican legislation is applicable pursuant to
the execution of an agreement or Mexico’s adherence to an international convention or
Processing carried out within Mexican territory, on behalf of a data controller not established in Mexican territory, unless
such processing is only for transit purposes
The Law only applies to private individuals or legal entities that process personal data, and not to the government, credit reporting
companies governed by the Law Regulating Credit Reporting Companies or persons carrying out the collection and storage of
personal data exclusively for personal use where it is not disclosed for commercial use. Further, Mexican Privacy Law also does
not generally apply to business-to-business data, including:
Data of legal entities.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mexico 697 | | | www.dlapiperdataprotection.com
Data of individuals acting as merchants or professionals.
Data of natural persons acting on behalf of a business (e.g., their employer), where the personal data processed is (a)
limited to first and last names, title, position and functions performed, and business contact data, such as mailing or
physical address, email address, telephone number and fax number, and (b) the personal data is processed solely for the
purpose of representing the business or administering the business relationship (i.e., fulfilling orders, providing services,
carrying out transactions between the business entities)
DEFINITIONS
Definition of personal data
‘Personal data’ is any information concerning an identified or identifiable individual.
Definition of sensitive personal data
‘Sensitive personal data’ is personal data that affects the most intimate areas of the data subject’s life, which if misused, may lead to
discrimination or entail a serious risk to the data subject. In particular, the definition includes data that may reveal any of the
following:
Racial or ethnic origin
Past or present health conditions
Genetic information
Religious, philosophical or moral beliefs
Union affiliation
Political views
Sexual orientation
Pictures and videos
Fingerprints
Geolocation
Banking information
Signature
Other key definitions
‘ARCO Rights’ refer to the access, ratification, cancelation and opposition rights of data subjects, with respect to their personal
data.
‘Controller’ or ‘data controller’ means the individual or private entity makes decisions regarding the processing of personal data.
‘Data subject’ means the individual to which the personal data belongs.
‘Guidelines’ means the guidelines issued by INAI, regarding the compliance with the principles and duties of the Data Privacy Law.
‘INAI’ refers to the National Institute of Transparency, Access to Information and Protection of Personal Data (Instituto
).Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales
‘Privacy notice’ means the physical or electronic document, or document generated in any other form by the controller and made
available to data subjects, prior to the processing of their personal data. There are three forms of a privacy notice: comprehensive
or full-form, simplified, and short.
‘Processing’ means any collection, use, disclosure or storage of personal data made through any means, including any access,
handling, exploitation, transfer or disposal of personal data.
‘Processor’ or ‘data processor’ means the individual or entity that separately or jointly with others processes personal data on
behalf of the controller.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mexico 698 | | | www.dlapiperdataprotection.com
‘Remittance’ any communication of personal data carried out between the controller and the processor, within or outside Mexican
territory.
‘Third Party’ means an individual or entity, whether national or foreigner, that is not the data subject, the controller or the
processor of the personal data.
‘Transfer’ means any communication of personal data carried out between the controller and any third party.
NATIONAL DATA PROTECTION AUTHORITY
The National Institute of Transparency for Access to Information and Personal Data Protection (Instituto Nacional de
) (INAI) and the Ministry of Economy (SecretaríaTransparencia, Acceso a la Información y Protección de Datos Personales
de Economía) serve as Mexico’s data protection authorities.
REGISTRATION
Mexican law does not require registration with a data protection authority or other regulator in relation to the use of personal
data.
DATA PROTECTION OFFICERS
All data controllers are required to designate a personal data officer or department (each, a Data Protection Officer) to handle
requests from data subjects exercising their ARCO Rights (as defined in ‘Collection and Processing’) under the Law. Data
Protection Officers are also responsible for overseeing and advising on the protection of personal data within their organizations.
COLLECTION & PROCESSING
Principles and obligations
In processing personal data, data controllers must observe the principles of legality, information, consent, notice, quality, purpose,
loyalty, proportionality and accountability.
Pursuant to these principles:
Personal data must be collected and processed fairly (and not through deceptive or fraudulent means) and lawfully
Personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way
incompatible with those purposes.
Consent must be obtained, unless an exception applies.
Processing of personal data must be adequate, relevant and not excessive in relation to the purposes for which it is
collected. or further processed
Personal data must be accurate and, if necessary, updated; every reasonable step must be taken to ensure that data that is
inaccurate or incomplete, having regard to the purposes for which it was collected or for which it is further processed, is
erased or rectified., and
Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the
purposes for which the data was collected or for which it is further processed.
Data subjects are entitled to a reasonable expectation of privacy in the processing of their personal data. In addition,
personal data must be processed as agreed upon by the parties (in a privacy notice or otherwise) and in compliance with
the Law.
A privacy notice (Aviso de Privacidad) must be made available to data subjects prior to the processing of their personal
data.
Required information for privacy notices
To legally process personal data, data controllers must provide a privacy notice (Aviso de Privacidad), which must be made
available to a data subject prior to the processing of his or her personal data. The privacy notice may be provided to data subjects
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mexico 699 | | | www.dlapiperdataprotection.com
in printed, digital, visual or audio formats, or any other technology.
Controllers are required to notify data subjects of the main characteristics of the processing to which their personal data will be
subject. This obligation is complied with through the privacy notice. Therefore, any data controller is required to prepare and
make available to data subjects the relevant privacy notice(s) corresponding to their personal data. Controllers will have to make
available distinct privacy notices for different categories of data subjects, such as personnel and customers.
The Guidelines permit the following three forms of privacy notice, depending on whether the personal data is obtained directly or
indirectly from the data subject, and the context and space in which the personal data is collected:
Comprehensive privacy notice: required to be provided when the personal data is obtained in-person from the data
subject, for example, in a face-to-face interview.
Simplified privacy notice: required to be provided when the data is obtained directly from the data subject, for
example, when registering for an account on website or during a customer service call.
Short form privacy notice: may be provided when the space for the privacy notice is limited and the Personal Data
collected is minimum, for example, at an ATM, in a SMS, on a raffle ticket
Each of these forms must meet specific disclosure requirements, as described below, and the simplified and short-form notices
must link to, or provide information about how to obtain, the comprehensive notice.
A must at least contain:comprehensive privacy notice
The identity and address of the data controller
A description of the personal data that will be processed
Identification of any sensitive personal data that will be processed, and an affirmative statement that such data will be
processed (if applicable)
The purposes of the data processing, including the primary and any secondary purposes
The options and means offered by the data controller to data subjects to limit the use, disclosure or processing of their
data for any secondary purposes
The means by which data subjects can revoke their consent
The means for exercising rights of access, rectification, cancellation or objection (ARCO rights)
Where appropriate, the types of data transfers to be made, including the purposes of such transfers and the identification
of any third parties (not including processors) to whom personal data is transferred
The procedure and means by which the data controller will notify the data subjects of changes to the Privacy Notice, and
Identification of any sensitive personal data that will be processed
A must include, at least, the following information:simplified privacy notice
The identity and address of the Controller
The purposes of the data processing, including the primary and any secondary purposes
The options and means offered by the data controller to data subjects to limit the use, disclosure or processing of their
data for any secondary purposes
How to access or obtain the comprehensive privacy notice
The must include, at least, the following information:short form privacy notice
The identity and address of the Controller
The purposes of the data processing, without distinguishing any secondary purposes
The options and means offered by the data controller to data subjects to limit the use, disclosure or processing of their
data for any secondary purposes
In addition to the required information, a privacy notice must be clear and in a comprehensible language, and with an easy
structure and design, which means it should among other things, the privacy notice should not use inappropriate, ambiguous, or
vague sentences, or refer to texts and documents that are not available for the data subject to review.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mexico 700 | | | www.dlapiperdataprotection.com
The data controller has the burden of proof to show that the privacy notice was provided to the data subjects prior to the
processing of their personal data (unless an exception applies). However, controllers are not required to provide a privacy notice
where:
personal data is obtained indirectly and it is intended for historical, statistical, or scientific purposes
where the personal data collected is not subject to Mexican Privacy Laws ( , certain business-to-business data aseg
described previously)
Consent to processing
Except as otherwise provided by the Law, some form of consent is required for all processing of personal data; depending upon
the circumstances consent may be implicit, express, or express and written:
Implicit (or tacit) consent applies to the processing of personal data generally, except where the Law requires express or express
written consent (or where consent is not required):
Implicit consent is obtained where the data subject has been informed of the privacy notice and has not objected to or
refused the processing of personal data as described in the privacy notice.
Express consent (notice and opt-in) is required for o the processing of financial or asset data.
Express consent may be obtained verbally, in writing, or via any technology or other unmistakable indication. Express and
written consent is required for the processing of sensitive personal data. Express written consent may be obtained
through the data subject’s written signature, electronic signature, or any other authentication mechanism.
In addition to the above, express or express written consent must be obtained where otherwise specifically required pursuant to
an applicable law.
On the other hand, consent from the data subject is not required (but a privacy notice must still be made available) for the
processing of personal data where any of the following apply:
The processing is required pursuant to an applicable Mexican law
The data is contained in publicly available sources
The identity of the data subject has been disassociated from the data ( , the data subject is no longer identifiable)ie
Where the processing is for the purpose of fulfilling obligations pursuant to a legal relationship between the data subject
and the data controller
There is an emergency situation that could potentially harm an individual with regard to his or her person or property
Processing is essential for medical attention, prevention, diagnosis, health care delivery, medical treatment or health
services management, where the data subject is unable to give consent in the manner established by the General Health
Law (Ley General de Salud) and other applicable laws, and said processing is carried out by a person subject to a duty of
professional secrecy or an equivalent obligation, or
Pursuant to a resolution issued by a competent authority
TRANSFER
Mexican privacy laws distinguish between ‘transfers’ of personal data (to third parties) and transmissions of personal data (to
processors). Under Mexican Privacy Laws, a ‘transfer’ is any communication or transmission of personal data by or on behalf of the
Controller to a third party (not including a processor). Where the data controller intends to transfer personal data to domestic
or foreign third parties other than a data processor, it must provide the third parties with the privacy notice provided to the data
subject and the purposes to which the data subject has limited the data processing. In addition, the controller must notify data
subjects in the privacy notice of the transfer, including:
that the transfer may be made, as well as to whom and for what purposes the personal data may be transferred.
where consent to the transfer is required, that the data subject consents and how the data subject can refuse to consent
to the relevant transfer(s).
The purpose of the transfer must be limited to the purpose and conditions informed in the privacy notice and consented to by the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mexico 701 | | | www.dlapiperdataprotection.com
data subject (as applicable).
The third-party recipient must assume the same obligations as the data controller who has transferred the data.
Domestic and international transfers of personal data may be carried out without the consent of the data subject where the
transfer is:
Pursuant to a law or treaty to which Mexico is party
Necessary for medical diagnosis or prevention, health care delivery, medical treatment or health services management
Made to the holding company, subsidiaries or affiliates under the common control of the data controller, or to a parent
company or any company of the same group as the data controller, operating under the same internal processes and
policies as the data controller (provided they will comply with principles of Mexican Privacy Laws, the privacy notice
provided to data subjects and the other applicable internal policies regarding data protection)
Necessary by virtue of a contract executed or to be executed between the data controller and a third party in the
interest of the data subject
Necessary or legally required to safeguard public interest or for the administration of justice
Necessary for the recognition, exercise or defense of a right in a judicial proceeding, or
Necessary to maintain or comply with an obligation resulting from a legal relationship between the data controller and the
data subject
The Regulations establish that communications or transmissions of personal data to processors do not need to be notified or
consented to by the data subject. However, the data processor must do all of the following:
Process personal data only according to the instructions of the data controller
Not process personal data for a purpose other than as instructed by the data controller
Implement the security measures required by the Law, the Regulations and other applicable laws and regulations
Maintain the confidentiality of the personal data subject to processing
Delete personal data that were processed after the legal relationship with the data controller ends or when instructed by
the data controller, unless there is a legal requirement for the preservation of the personal data
Not transfer personal data unless instructed by the data controller, the communication arises from subcontracting, or if so
required by a competent authority
SECURITY
All data controllers must establish and maintain physical, technical and administrative security measures designed to protect
personal data from damage, loss, alteration, destruction or unauthorized use, access or processing. They may not adopt security
measures that are inferior to those they have in place to manage their own information.
The risk involved, potential consequences for the data subjects, sensitivity of the data and technological development must be
taken into account when establishing security measures, and more care should be taken in the collection and process of sensitive
personal data.
The Controller also has the obligation to train its personnel on the proper handling of personal data in order to ensure
compliance with the Mexican Privacy Laws. Per the Guidelines, a controller must also establish, document and follow security
policies and procedures, including:
Maintaining an inventory of personal data and the relevant processing systems, and update this at least once per year with
respect to sensitive personal data
Identifying the duties and obligations of persons that processing personal data on behalf of the controller
Conducting appropriate risk analyses to identify dangers and estimate risk of harm to personal data
Establishing security measures applicable and confirm they are effectively implemented
Assessing and improving security on an ongoing basis
Establishing a roadmap to implement any missing security measures identified pursuant to a security breach (as necessary
to prevent a recurrence of such breach)
Performing reviews or audits of security program
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mexico 702 | | | www.dlapiperdataprotection.com
Maintaining records of the storage means for personal data
BREACH NOTIFICATION
Security breaches occurring at any stage of the processing that materially affect the property or moral rights of the data subject
must be promptly reported by the data controller to the data subject.
Under Mexican Privacy Laws, a security breach of personal data includes any unauthorized:
loss or destruction of personal data
theft, loss or copying of personal data
use, access or processing of personal data
damage or alteration of personal data
If there is a breach of personal data, the controller must first analyze the causes of such breach; and then take steps to implement
any corrective, preventive, improvement actions necessary to prevent the breach from recurring.
If a breach significantly affects the property or moral rights of the data subjects, the controller must immediately notify the affected
data subjects, as soon as it confirms that the breach has occurred, so that the affected Data Subjects can take the corresponding
measures.
The Regulations provide that breach notification must include at least the following information:
The nature of the breach
The personal data compromised
Recommendations to the data subject concerning measures that he or she can adopt to protect his or her interests
Immediate corrective actions implemented in response to the breach, and
The means by which the data subject may obtain more information in regard to the data breach
ENFORCEMENT
Data subjects can enforce their ARCO Rights, when no response is obtained from the data controller via INAI and ultimately the
court system.
If any breach of the Law or its Regulations is alleged, INAI may perform an on-site inspection at the data controller’s facilities to
verify compliance with the Law.
Violations of the Law may result in monetary penalties or imprisonment, including the following:
INAI may impose monetary sanctions in the range of 100 to 320,000 times the Mexico City minimum wage (currently, MX $88.36,
updated every year). Sanctions may be increased up to double the above amounts for violations involving sensitive personal data.
Three months to three years of imprisonment may be imposed on any person authorized to process personal data who, for profit,
causes a security breach affecting the databases under its custody. Penalties will be doubled if sensitive personal data is involved.
Six months to five years of imprisonment may be imposed on any person who, with the aim of obtaining unlawful profit, processes
personal data deceitfully, taking advantage of an error of the data subject or a person authorized to process such data. Penalties
will be doubled if sensitive personal data is involved.
In determining the appropriate sanctions, the INAI will consider:
The nature of the data
The notorious inadmissibility of the refusal of the Data Controller, to carry out the acts requested by the data subject, in
terms of this Law
The intentional or unintentional nature of the action or omission constituting the offense
The economic capacity of the data controller, and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mexico 703 | | | www.dlapiperdataprotection.com
Recidivism
The sanctions imposed by the INAI are without prejudice to any further civil or criminal liability.
ELECTRONIC MARKETING
Email marketing constitutes personal data processing and is subject to the Law, including applicable notice and consent
requirements.
ONLINE PRIVACY
The Regulations and Guidelines that address the use of cookies, web beacons and other analogous technologies, require that when
a data controller uses online tracking mechanisms that permit the automatic collection of personal data, it provides prominent
notice of the use of such technologies; the fact that personal data is being collected the type of personal data collected and the
purpose of the collection and the options to disable such technologies.
An IP address alone may be considered personal data, however, there has not been a resolution or decision issued by the
competent authority on this point.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Gabriela Alaña
Partner
T + 52 55 5261.1817
gabriela.alana@dlapiper.com
Ana Kuri
Associate
T + 52 55 5261.1847
ana.kuri@dlapiper.com
Paola Aguilar
Law Clerk
T +1 555.261.1818
maria.aguilar@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Moldova 704 | | | www.dlapiperdataprotection.com
MOLDOVA
Last modified 21 February 2022
LAW
The main national legal acts regulating personal data protection in Moldova are:
the Constitution of the Republic of Moldova (Article 28);
the Law No. 133 of 08 July 2011 on Personal Data Protection;
the Law No. 182 of 10 July 2008 regarding the approval of the National Centre for Personal Data Protection regulation,
structure, staff-limit and its financial arrangements;
the Government Decision No. 296 of 15 May 2012 on the approval of the Regulation regarding the Register of evidence
of the personal data controllers;
the Governmental Decision No. 1123 of 14 December 2010 on the approval of the requirements for the assurance of
personal data security and their processing within the information systems of personal data.
The law on Personal Data Protection is the core legal act establishing the legal framework of personal data protection in Moldova.
It has been adopted to harmonize the national regulations with the provisions of the Directive 95/46/EC of the European
Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data.
In the near future we expect the adoption of a new Law on Personal Data Protection which will transpose the provisions of the
GDPR with some adjustments to Moldovan conditions.
Please note that Moldova is not an EU country and European provisions on personal data protection are not directly applicable in
Moldova.
DEFINITIONS
Definition of personal data
Personal data is defined as “any information relating to an identified or identifiable natural person (“personal data subject”)”. An
identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to
one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Definition of sensitive personal data
Sensitive personal data is defined as special categories of personal data. Such special categories include data related to race, ethnic
origin, political opinions, religious or philosophical beliefs, social belonging, data concerning health or sex life, as well as data
relating to criminal convictions, administrative sanctions or coercive procedural measures.
NATIONAL DATA PROTECTION AUTHORITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Moldova 705 | | | www.dlapiperdataprotection.com
The National Centre for Personal Data Protection is the national data protection authority. The permanent(“NCPDP”)
headquarters of the Centre are located in Chisinau, 48, Serghei Lazo str., MD-2004, T: +37322820801, F: +37322820807,
.www.datepersonale.md
REGISTRATION
As of January 10, 2022, the requirement of mandatory registration or notification of personal data databases shall be abolished.
However, according to the new provision, the controller shall consult with the NCPDP before starting any operations on
processing of personal data in case if the data protection impact assessment indicates the processing would generate an increased
risk.
The data protection impact assessment should contain at least the following information:
The description of category of the data to be processed, the purpose of processing and legitimate interest (if any)
The description of the necessity and proportionality of processing operations in relation to the purpose of processing
Risk assessment for the rights and freedoms of data subjects, in particular, the source of those data, nature, specific
degree of likelihood of materialization of the increased risk and the severity of that risk
The description of risk prevention measures, including safeguards, security measures and mechanisms to ensure the
protection of personal data and to demonstrate compliance with the provisions of the data protection law.
DATA PROTECTION OFFICERS
The appointment of an internal data protection officer is required.
COLLECTION & PROCESSING
Personal data shall be processed with the consent of the personal data subject, unless an exception applies.
The consent of the data subjects is not necessary where the processing is necessary for:
performance of a contract to which the personal data subject is party, in order to take steps at the request of the data
subject prior to entering into a contract;
carrying out an obligation of the controller, under the law;
protection of the life, physical integrity or health of the personal data subject;
performance of tasks carried out in the public interest or in the exercise of public authority prerogatives vested in the
controller or in a third party to whom the personal data is disclosed;
the purposes of legitimate interest pursued by the controller or by the third party to whom personal data is disclosed,
except where such interest is overridden by the interests for fundamental rights and freedoms of the personal data
subject;
statistical, historical or scientific-research purposes, except where the personal data remains anonymous for a longer
period of processing
Processing of special categories of personal data shall be prohibited, except for cases provided by the Law.
Personal data undergoing processing must be:
processed fairly and lawfully;
collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those
purposes;
adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
accurate and, where necessary, kept up to date;
kept in a form which permits the identification of personal data subjects for no longer than is necessary for the purposes
for which the data was collected and further processed.
The data controller shall ensure the confidentiality of personal data. The data controller and other persons who have access to the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Moldova 706 | | | www.dlapiperdataprotection.com
personal data, shall not disclose any information to a third party without the prior consent of the data subject unless one of the
following exclusions applies:
processing relates to data which is voluntary and manifestly made public by the personal data subject;
the personal data is rendered anonymous.
The controller must implement appropriate technical and organizational measures to protect personal data against destruction,
alteration, blocking, copying, disclosure, and against other unlawful forms of processing, that shall ensure a level of security
appropriate to the risks represented by the processing and the nature of the data.
TRANSFER
Transfers of personal data by a controller or a processor are permitted taking into account the principle of free movement of data
to EU countries and to third countries that ensures an adequate level of protection of personal data subjects’ rights and of data
intended for transfer.
The NCPDP is in charge of maintaining the list of the countries that ensures an adequate level of protection of personal data
subject’s rights.
The Law on Personal Data Protection also includes a list of context specific derogations, permitting transfers to countries that do
not ensure an adequate level of protection:
if the transfer is provided under an international treaty to which Moldova is a signatory;
the data subject consents to the transfer;
if the transfer is necessary for the conclusion or performance of an agreement or contract concluded between the
personal data subject and the controller or between the controller and a third party in the interest of the personal data
subject;
if the transfer is necessary in order to protect the life, physical integrity or health of the personal data subject;
if the transfer is carried out solely for journalistic, artistic, scientific and archive purposes of public interest;
if the transfer is made to other companies from the same group as the data controller, provided that the mandatory
corporate rules are observed;
the transfer is necessary for the accomplishment of an important public interest, such as national defence, public order or
national security, carrying out in good order a criminal trial or ascertaining, exercising or defending a right in court, on the
condition that the personal data is processed solely in relation to this purpose and only for longer period is necessary to
achieve it;
if the processing takes place under the contract standard for cross-border data transmission, elaborated and approved by
the NCPDCP, concluded by the data controller.
Currently, no country is recognized as ensuring an adequate level of protection.
The Republic of Moldova is not an EU member state. Thus, the standard clauses are not applicable as such. The Standard clauses
may be used only as a data transfer agreement template and re quires amendment to the local requirements.
SECURITY
The controller must implement appropriate technical and organizational measures to protect personal data against destruction,
alteration, blocking, copying, disclosure, and against other unlawful forms of processing, that shall ensure a level of security
appropriate to the risks represented by the processing and the nature of the data.
Governmental Decision No. 1123 of 14 December 2010 on the approval of the requirements for the assurance of personal data
security and their processing within the information systems of personal data is used as a reference for the minimum-security
measures to be implemented by the controller.
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Moldova 707 | | | www.dlapiperdataprotection.com
Data controllers shall submit to the NCPDP an annual report on any security incidents involving information systems during that
year.
ENFORCEMENT
The NCPDP is responsible for the enforcement of the Law on Personal Data Protection. The NCPDP is entitled to:
carry out checks;
consider complaints from data subjects;
require the submission of necessary information about personal data processing by the data controller;
require the undertaking of certain actions according to the law by the data processor, including discontinuance of the
processing of personal data;
file court actions;
Violation of personal data protection legislation may result in administrative liability. The maximum administrative penalty that can
be imposed, as at the date of this review, is MDL (Moldovan lei) 15,000 which is about EUR 750.
If the violation has led to material or moral damages, the violator may be required by the court to reimburse such damages.
The NCPDP may also suspend or prohibit the processing of data if the rules on personal data protection are breached.
ELECTRONIC MARKETING
The Law on Electronic Commerce dated July 22, 2004 provides for certain legal requirements for distribution of commercial
electronic messages in the area of electronic commerce. In particular:
commercial electronic messages are allowed only subject to the preliminary consent of a subscriber or addressee to
receive such messages;
the recipient shall have easy access to information regarding the individual or legal entity sending the message;
commercial electronic messages regarding sales, promotional gifts, premiums etc. shall be unequivocally identified as such
and the conditions for receiving of such promotions shall be clearly stated to avoid their ambiguous understanding.
ONLINE PRIVACY
At the date of this review, Moldovan law does not specifically regulate online privacy.
There are no specific requirements on data location, except for the requirement of the prior authorization of the cross-border
transfer of data.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Moldova 708 | | | www.dlapiperdataprotection.com
KEY CONTACTS
ACI Partners
www.aci.md
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Sergiu Chirica
Senior Associate
ACI Partners
T +373 22 279 323
schirica@aci.md
Marina Zanoga
Senior Associate
ACI Partners
T +373 22 279 323
mzanoga@aci.md
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.comwww.aci.mdhttp://
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Monaco 709 | | | www.dlapiperdataprotection.com
MONACO
Last modified 17 January 2022
LAW
Within the Principality of Monaco (Monaco) data protection is regulated by Data Protection Law n° 1.165 of December 23, 1993,
modified from time to time and notably by Law n° 1.353 of December 4, 2008 and most recently by Law n°1.462 of June 28, 2018
(the “ ”). Furthermore, article 22 of the Monegasque Constitution protects the right to privacy and the secrecy ofDPL
correspondence of every citizen.
Further, Monaco is part of the Council of Europe and entered into Convention n° 108 of the European Council of January 28,
1981 for the protection of individuals in the context of automatic processing of personal data, and into its protocol addendum
regarding the controlling authorities and cross-border flows of data, effective from April, 1st 2009.
Monaco is not part of the EU and did not adopt Data Protection Directive 95/46/EC (hereinafter referred to as the “ European
”) or its successor the General Data Protection Regulation (Regulation EU 2015/679) of April 27, 2016 (hereinafterDirective
referred to as “ ”). the GDRP
As a consequence, the European Commission does not consider Monaco as ensuring an adequate and sufficient level of protection
in conformity to the Article 25 of the European Directive.
To address this issue, some of the European standards, and notably the European definition of “ ”, have alreadypersonal data
been transposed into Monegasque law by legislations dealing with the automated processing of personal data, in particular:
Law n°1483 of December 17, 2019, regarding the creation of a digital identity (and thus, of a digital identification number)
for citizens and residents of Monaco and, within this context, of a Monegasque National Register of Digital Identity, and
Law n°1482 of December 17, 2019, regarding the digital economy in general.
A new draft law incorporating some of the European standards is also expected shortly.
It is also important to note that, pursuant to article 3.2. of the GDPR, the GDPR is already applicable to companies established in
Monaco that process personal data of persons (or “ ”) residing in the EU where such processing is related to (i) thedata subjects
supply of goods or services to such persons (irrespective of a payment for such supply) and (ii) the monitoring of their behavior
taking place within the Union. It shall be noted that in such a case, the company established in Monaco may be required to
designate in writing a representative in the European Union (article 27 of GDPR).
DEFINITIONS
Definition of personal data
Under the DPL, personal data is defined as data enabling identification of a determined or determinable person. Any individual
who can be identified, directly or indirectly, notably by reference to an identification number or to one or more factors specific to
their physical, psychological, psychological, economic, cultural, or social identity is deemed to be determinable.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Monaco 710 | | | www.dlapiperdataprotection.com
Definition of sensitive personal data
While not expressly defined under the DPL, sensitive personal data is considered to be personal data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning health /
genetic data, sex life, data concerning morals or social matters.
Definition of data processing
Under the DPL, data processing is defined widely as any operation or set of operations performed on such data, whatever the
process used (including collection, recording, organization, modification, storage, extraction, consultation, destruction, as well as
exploitation, interconnection or reconciliation, transmission, broadcasting).
Definition of the data processor/controller
Under the DPL, the person in charge of the processing or “ ” shall be considered as any person (natural or legalData controller
entity governed by private or public law) who alone or jointly with others, determines the purpose and means of the processing
and who decides of its implementation.
Definition of the data subject
Any person whose personal data are processed.
NATIONAL DATA PROTECTION AUTHORITY
The Monegasque regulator is the Commission for Control of Personal Data ( orCommission de Contrôle des Informations Nominatives
“ ”) whose composition was recently amended by Sovereign Ordinance n°8.575 CCIN
The CCIN has different missions and powers, which mainly include (i) a mission of registration and examination of cases (e.g. it
receives declarations of processing, expresses advices and opinions, issues authorizations when needed), (ii) a mission of council
and proposal (e.g. it makes proposals to the competent authorities and recommendations, informs the data subjects of their rights
and obligations, publishes reports) and (iii) a mission of control and investigation.
REGISTRATION
Data controllers, who process personal data must notify the CCIN and request approval so that their processing of personal data
may be registered. Any changes to the processing of personal data will require the registration to be amended. Concerning data
controllers who are legal persons governed by public law, public authorities and bodies governed by private law with a mission of
general interest, the decision shall be taken by the competent authorities or bodies following a reasoned opinion from the CCIN.
A recent Ministerial Order of 18 March 2021 has brought some changes to this procedure.
Any natural or legal entities governed by private law who intend to implement automated data processing including personal
information must first complete the required procedure with the CCIN.
There are four possible procedures to follow:
Ordinary declaration (all nature or legal persons governed by private law usually fall under the ordinary declaration
procedure);
Simplified declaration (all processing compliant to a referenced Ministerial Order and only when it is clearly established
that the processing operations do not adversely affect the rights and freedoms of the data subjects);
Authorization request (only for automated processing of personal data relating to suspected unlawful activities, offences
or security measures or including biometric data required to check persons’ identities, or for the purpose of surveillance);
Legal advisory request (only processing relating to research in the field of health – excluding biomedical research and for
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Monaco 711 | | | www.dlapiperdataprotection.com
processing implemented by natural or legal persons governed by public law, public authorities, organizations governed by
private law entrusted with a mission of general interest or a concessionaire of public utility).
The data controller must decide which procedure is the most adapted to the processing he wants to implement. To do so, he
needs to analyze the purpose of the processing, and depending on this purpose, complete one of the aforementioned procedures
(ordinary request, simplified request, authorization request, or legal advisory request).
The notification to the CCIN should include at least the following information:
What data is being collected
Why the data will be processed
The categories of data subject
Whether the data will be transferred either within or outside the Monaco.
DATA PROTECTION OFFICERS
There is no requirement in Monaco for organizations to appoint a data protection officer.
However, appointing a data protection officer is viewed by the CCIN as evidence of a company’s measure taken in order to
ensure compliance with the data protection legislation. In practice however, companies in Monaco do not generally appoint data
protection officers.
When appointed in these companies, he is usually responsible for informing and advising the members of the entity on the legal
obligations regarding data processing and for cooperating with the CCIN.
COLLECTION & PROCESSING
Data processing must be justified by at least one of the following bases:
The data subject’s consent
A legal duty imposed to the data controller
A public purpose
The performance of a contract entered into between the data controller and the data subject
The data controller’s legitimate interests, unless the data subject’s fundamental rights and liberties outweigh the
controller’s legitimate interests
If sensitive personal data is processed, at least one of the above bases must be met plus one from an additional list of more
stringent conditions (determined in Article 12 of DPL).
Additionally, the data controller must provide the data subject with fair processing information. This includes information about
the identity of the data controller, the purposes of processing, the identity of recipients, the right to oppose, access and amend
their data and any other information needed under the circumstances to ensure that the processing is fair.
TRANSFER
Monaco is not part of the EU, so the DPL does not distinguish between EEA jurisdictions and non-EEA jurisdictions.
However, the DPL provides that the transfer of data is authorized for cross-border access, storage and processing of data only to
a country which offers equivalent data protection and reciprocity (and in particular circumstances, including for example when the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Monaco 712 | | | www.dlapiperdataprotection.com
data subjects gave his consent for such transfer or when the transfer of data is necessary to save his life or a public interest).
The CCIN has established a list of the countries deemed to offer equivalent protection and reciprocity.
Data transfers to countries with an adequate level of protection are not subject to the authorization by the CCIN.
The CCIN has adopted a position of principle and decided that all personal data transfers to a country or an organization which
does not ensure an adequate level of protection should, in any event, be submitted to the Commission in the form of a transfer
authorization application. Subsequently, the CCIN affirmed that it is necessary to submit a transfer authorization application to the
Commission if personal data will be accessed from a country that does not have an adequate level of protection.
GDPR has an impact on data transfers to and from Monaco. Two situations must be distinguished:
Companies of the European Union that want to send data to Monaco:
They should no longer have to carry out any specific formalities with their supervisory authority as long as tools to protect
the data are put in place between the European data controller and his subcontractor or subsidiary, notably:
o An approved code of conduct pursuant to Article 40 of the GDPR;
o An approved certification mechanism pursuant to Article 42 of the GDPR.
o Standard data protection clauses approved by the European Commission (art.46);
o Binding corporate rules (art.47);
Companies that want to send data from Monaco
As described above, they are still subject to the data transfer formalities of the CCIN if they wish to send data to a country which
does not have an adequate level of protection.
SECURITY
Data controllers must take appropriate technical and organizational measures designed to protect against unauthorized or
unlawful processing, accidental loss or destruction of, or damage to, personal data.
Measures implemented must ensure an adequate level of security with regard to the risks posed by processing and by the nature
of the data to be protected.
Where the data controller or their representative engages a service provider to process personal data, they must ensure that the
service provider is able to comply with the obligations laid down in the two previous paragraphs.
The implementation of processing by such service provider must be governed by a written agreement between the subcontractor
and the data controller that stipulates specifically that the service provider and his employees work under the sole directive of the
data controller, and that he is also accountable for the obligations relating to the security of the processing.
BREACH NOTIFICATION
There is no mandatory requirement in the DPL to report security breaches or losses to the CCIN or to data subjects.
ENFORCEMENT
The CCIN and Monegasque Courts are responsible for enforcing the DPL. If the CCIN becomes aware that a data controller is in
breach of the DPL, it can serve an enforcement notice requiring the data controller to resolve the non-compliance. Failure to
comply with an enforcement notice is a criminal offense and can be punished on conviction with imprisonment of one month to
one year or a fine of between €9,000 and €90,000 or both.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Monaco 713 | | | www.dlapiperdataprotection.com
Sanctions remain rare. The CCIN website only mentions one decision of sanction dated July 18, 2017, which was a warning and
the fixation of an action plan to implement corrective measures, against a Monegasque company which didn’t submit to the CCIN
a request to conduct automated processing of personal data.
ELECTRONIC MARKETING
Prior to implementing any electronic marketing activity the CCIN must be notified, as electronic marketing activities may use
personal data. The DPL does not prohibit the use of personal data for the purpose of electronic marketing . However, whenper se
implementing electronic marketing activities a company must respect the provisions of Articles 1, 10-1, 10-2 and 14 of the DPL.
The automated or non-automated processing of personal data must not infringe the fundamental rights and freedoms enshrined in
Title III of the Constitution.
When marketing, personal data must be:
Collected and processed fairly and lawfully
Collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those
purposes
Adequate, relevant and not excessive in relation to the purposes for which it is collected and / or further processed
Accurate and, if necessary, updated; every reasonable step must be taken to ensure that data which is inaccurate or
incomplete, having regard to the purposes for which it was collected or for which it is further processed, is erased or
rectified
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the
data was collected or for which it is further processed.
Processing of personal data must be justified by one of the following bases:
By consent from the data subject(s)
By compliance with a legal obligation to which the data controller or their representative is subject
By it being in the public interest
By the performance of a contract or pre-contractual measures with the data subject
By the fulfillment of a legitimate motive on the part of the data controller or their representative or by the recipient, on
condition that the interests or fundamental rights and freedoms of the data subject are not infringed
Data subjects from whom personal data is collected must be informed of all of the following:
The data controller’s identity and, if applicable, the identity of their representative in Monaco
The purpose of processing
The obligatory or optional nature of replies
The consequences for data subjects of failure to reply
The identity of recipients or categories of recipients
Their right to oppose, access and rectify their data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Monaco 714 | | | www.dlapiperdataprotection.com
Their right to oppose disclosure to and use of personal data by a third party, or the disclosure for the purposes of the
third party’s commercial use, including marketing
ONLINE PRIVACY
Prior to the use of traffic data, location data and cookies the CCIN must be notified. The use of traffic data, location data and
cookies will have to comply with the provisions of the DPL.
In its Deliberation No. 2019-083 of May 15, 2019, the CCIN has specified the main principles applicable to the methods of
depositing cookies and other tracers on the terminals of network users.
In this recommendation the CCIN insists on the requirement to insert a banner appearing as soon as an Internet user arrives on
the visited site. It is also requested that no cookie other than those necessary for the operation be deposited in the user’s terminal
without its consent.
The banner must not be solely for information purposes but must allow the approval or deactivation of the deposit of cookies
directly on the site by a positive action of the user.
According to the CCIN, the employer cannot access the contents of private messages sent or received from the professional
e-mail system without the employee presence and agreement.
However, in order for messages to be considered private, it is necessary for employees to identify them as such for example by
specifying in the message’s subject key words such as “private”, or “personal”.
KEY CONTACTS
Gordon S. Blair Law Offices
gordonblair.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Gilbert Delacour
CEO
Gordon S. Blair Law Offices
T +377 93 25 84 00
gilbertdelacour@gordonblair.com
https://www.dlapiperdataprotection.com
http://gordonblair.com/
https://www.dlapiperdataprotection.com/scorebox/
https://www.dlapiperdataprotection.comgordonblair.com/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mongolia 715 | | | www.dlapiperdataprotection.com
MONGOLIA
Last modified 23 February 2022
LAW
On 17 December 2021, the Parliament of Mongolia (the “ ”) adopted the Law of Mongolia on Personal DataParliament
Protection (the “ ”) which will come into effect and full force from 1 May 2022. The Data Protection LawData Protection Law
applies to matters related to personal privacy and relations in connection with the collecting, processing, using, and security of
Personal Data (as defined below) of an individual, as well as the collection, processing and use of individual’s Personal Data with
the help of technology and software. The Data Protection Law regulates the handling of Personal Data and Sensitive Personal Data
by Data Controller (as defined below).
The Data Protection Law defines specific components of Personal Data and persons that are subject to regulations of the Data
Protection Law. For instance, “data owner” means any individual (or his/her legal representative) who can be determined by
his/her Personal Data defined under the Data Protection Law (“ ”) and “data controller” means a natural or legalData Owner
person, who collects, processes and uses Personal Data based on the permission of Data Owner or in accordance with the law (“
”). Data Controller
The Data Protection Law mainly divides human data (information) into two categories:
Personal Data; and
Sensitive Personal Data.
DEFINITIONS
Definition of personal data
Pursuant to Article 4.1.11 of the Data Protection Law, the following information refers to Personal Data:
sensitive personal data;
first and last name;
date and place of birth;
permanent address and location data;
citizen’s registration number;
properties;
education and membership;
online identifiers; and
any other information that can be used to directly or indirectly identify a natural person.
Definition of sensitive personal data
Pursuant to the Data Protection Law, Sensitive Personal Data is subject to personal privacy. Sensitive Personal Data as defined in
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mongolia 716 | | | www.dlapiperdataprotection.com
Article 4.1.12 of the Data Protection Law means:
ethnicity and race;
religion and beliefs;
health, correspondence, genetic and biometric data;
personal key of an electronic signature;
criminal status and record; and
any data concerning sexual orientation and sexual relationships.
NATIONAL DATA PROTECTION AUTHORITY
The National Human Rights Commission, the Ministry of Digital Development and Communications, and other relevant state
authorities have various degrees of oversight of data protection under Chapter 6 of the Data Protection Law.
The Human Rights Commission is entitled to exercise the following with respect to data protection:
monitor the implementation of the legislation on protection of Personal Data, organise public awareness and advocacy
activities and to submit requirements and recommendations to relevant organisations and provide comment on the
relevant regulations;
receive complaints and information for investigation or initiate an investigation in its sole discretion if it is considered that
human rights and freedoms protected under the Data Protection Law have been infringed or potentially infringed in the
course of collecting, processing, using and protecting Personal Data and to submit requirements and recommendations to
the relevant organisations;
provide requirement and recommendations to the relevant entities in the context of collecting, processing, using and
protecting Sensitive Personal Data;
receive and review records submitted by Data Controller regarding the violations detected during the collection,
processing and use of Personal Data and the measures taken to eliminate its negative consequences, and make
recommendations on further issues to be considered; and
make recommendations for the prevention of violations of human rights and freedoms in the collection, processing and
use of information through technology without human intervention.
The Ministry of Digital Development and Communications is entitled to exercise the following with respect to data protection:
maintain the implementation of legislation on protection of Personal Data, organise public awareness and advocacy
activities, provide professional advice and cooperate with the relevant organisations;
adopt the technological safety requirement and regulations to be followed in the processing of personal sensitive, genetics
and biometric data; and
receive and register information about security breaches and cyber-attacks on information systems intended for data
collection, processing and use, and take necessary measures immediately.
In addition, other state authorities are entitled to monitor the collection, processing and use of Personal Data by Data Controllers
within the scope of their functions specified under relevant laws.
REGISTRATION
There is no registration requirement for Data Controllers or data processing activities except that Data Controllers have the
obligation to keep records of:
its activities of collection, processing and use of Personal Data; and
its response to damages occurred to Personal Data.
Data Controllers are required to submit records of their response to damages occurred to Personal Data to the National Human
Rights Commission annually or at any time as requested by the National Human Rights Commission.
DATA PROTECTION OFFICERS
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mongolia 717 | | | www.dlapiperdataprotection.com
Organisations are not required to appoint a data protection officer. However, the Data Protection Law provides that Data
Controller and any person who processes the data must adopt internal rules and regulations on:
maintaining an information security; and
measures to be taken in case of data loss and a plan to deliver information to the Data Owner and the relevant state
authority.
In this regard, organisations, as a Data Controller and processor, may appoint a data protection officer of their own volition.
COLLECTION & PROCESSING
In accordance with Chapter 2 of the Data Protection Law, state authorities, individuals, legal entities and other natural persons
may collect, process and use (i) Personal Data and (ii) Sensitive Personal Data on the grounds provided by law and with the
permission of the Data Owner.
The Data Protection Law mainly divides the collection and processing of Personal and Sensitive Personal Data as follows:
collection and processing of Personal Data;
collection and processing of Sensitive Personal Data;
collection and processing of Genetics and Biometric data (types of Sensitive Personal Data); and
collection and processing of Personal Data after death of the Data Owner.
State authorities can collect and process Personal Data if:
permitted to by the Data Owner or permitted by law;
execution and enforcement of contractual obligations;
exercising the rights and obligations by the data controller during the employment relations;
enforcement of obligations under the international treaties to which Mongolia is a party to; or
enforcement actions by authorities as provided under applicable laws without interfering with the legitimate interests and
rights of the Data Owner.
Legal entity and any persons other than the state authority can collect and process Personal Data if:
permitted by the Data Owner or permitted by law;
execution and enforcement of contractual obligations;
exercising the rights and obligations by the data controller during the employment relations;
Personal Data that became legally available to the public; or
for making historical, scientific, artistic and literary works by maintaining the anonymity of the Data Owner.
Unless otherwise provided under relevant laws, Data Controller must obtain digital/electronic or written permission from Data
Owner upon presenting the following terms and conditions to the Data Owner:
definitive purpose of collecting, processing and using the Personal Data;
name and contact information of the Data Controller;
list of Personal Data to be collected, processed, and used;
period of processing and using Personal Data;
whether to make the Personal Data publicly available;
whether to transfer Personal Data to other persons together with the name of recipient and list of Personal Data to be
transferred; and
form of cancelling the permission.
The collection, processing and use of Sensitive Personal Data is prohibited except as follows:
state authorities and other persons as permitted by Data Owner;
health worker to exercise their rights and responsibilities under applicable laws in order to protect the health of an
individual; or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mongolia 718 | | | www.dlapiperdataprotection.com
in the process of providing explanations, declarations and evidence in accordance with the law on claims of citizens or
legal entities.
Genetic and Biometric data can only be collected and used by the following state authorities in accordance with applicable laws:
non-overlapping data of the human body (fingerprints) by the state registration authority for the purpose civil registration
and overseeing the voter registration;
biometric data by the border protection authority for the purpose of identifying and verifying a foreign citizen crossing the
state border;
genetic and biometric information by the competent authorities specified in the law for the purpose of combating,
preventing and investigating crimes and violations;
genetic and biometric data by court forensic organisation for forensic examination of criminal, civil, administrative and
other cases and dispute proceedings;
Biometric information of the Parliament member for the purposes of attendance and voting; and
an employer may, with the employee’s permission, use biometric data other than non-identifiable human data
(fingerprints) to facilitate the identification and verification of employees in accordance with the internal employment
regulations established in accordance with the Labour Law.
Also, Personal Data and Sensitive Personal Data may be collected, processed and used for (i) journalistic purposes or (ii) for the
purpose of creating historical, scientific, artistic and literary works and preparing statistical information based on the permission
from Data Owner.
In addition, the Data Protection Law provides that unless otherwise provided by law, (i) if Data Owner has died or is considered
dead, the relevant data shall be collected, processed and used with the written permission of the successor, his/her family member
or legal representative and (ii) permission to collect, process or use Sensitive Personal Data is not required 70 years after the
death of the Data Owner.
TRANSFER
Under the Data Protection Law, transfer of Personal Data to is prohibited unless otherwise approved under the relevant laws or
permitted by the Data Owner.
SECURITY
Data Controller must take the following measures for the purpose of maintaining data security:
adopt internal data security rules and regulations;
approve a plan in accordance with the law to take measures and deliver notice to the state authority and Data Owner in
the event of data loss;
take all measures to ensure the integrity, confidentiality and accessibility of information technology system used for data
collection, processing and use;
adopt and follow procedures and instructions on restricting the use of data, deleting the data and making it impossible to
identify the Data Owner; and
in the event of making decisions that affect the rights, freedom and legitimate interests of the Data Owner or regularly
processing Sensitive Personal Data, Data Controller must evaluate the situation in order to ensure the security of data
processing activities. Guidelines and procedures for the evaluation will be adopted by the Ministry of Digital Development
and Communications as recommended by the National Human Rights Commission.
The Ministry of Digital Development and Communications will determine the minimum requirements for data security,
instructions for assessment and technology of storage during the data collection, processing and use.
BREACH NOTIFICATION
The Data Protection Law states that data collector must promptly notify the Data Controller of any breaches occurred during the
data collection and processing. If such breach has potential to cause damages to the rights and legitimate interest of Data Owner,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mongolia 719 | | | www.dlapiperdataprotection.com
the Data Controller must immediately provide notice to the Data Owner including the following:
the Data Owner who will be affected by the breach;
name and contact information of the Data Controller;
possible negative consequences from the breach; and
measures taken to eliminate potential negative consequences from the breach.
ENFORCEMENT
The Ministry of Digital Development and Communications and the National Human Rights Commission are responsible for the
enforcement of the Data Protection Law and will investigate an act or practice if such act or practice may be (i) a violation of the
privacy of an individual and (ii) a complaint about the act or practice have been submitted. Pursuant to the Data Protection Law,
Data Owner can submit a claim to the administrative courts or the competent authority as provided under the relevant laws with
respect to its complaint on the data collection, processing and use by the state authority. Complaints on data collection,
processing and use by the other data controllers can be submitted to the other authorised entity or the Human Rights
Commission.
Any breach or violations of the Data Protection Law is subject to sanctions under the Violations Law or the Criminal Code of
Mongolia.
ELECTRONIC MARKETING
There are no specific provisions under the Data Protection Law or other Mongolian laws regulating electronic marketing
communications. It is important to point out, however, that, according to the Data Protection Law, all processing of consumer
Personal Data (which includes the collection, storage and making available to the public) can only occur upon the appropriate legal
basis for such purpose and permission provided by the Data Owner.
ONLINE PRIVACY
Currently, there are no laws or regulations in Mongolia regulating online privacy, including cookies and location data. Although the
Data Protection Law does not address online privacy including cookies and location data, the Ministry of Digital Development and
Communications, within the authority entitled to it under the Data Protection Law and other relevant laws, may adopt regulations
concerning the storage, use, disclosure and other processing of data collected on the internet.
KEY CONTACTS
DB>S LLP
dblaw.mn/
Battushig Batsuren
Partner
DB>S LLP
T +976 99075047
b.batsuren@dblaw.mn
Ariunbayar Enkhbat
Associate
DB>S LLP
T +976 88006058
e.ariunbayar@dblaw.mn
https://www.dlapiperdataprotection.com
https://dblaw.mn/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mongolia 720 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Montenegro 721 | | | www.dlapiperdataprotection.com
MONTENEGRO
Last modified 17 January 2022
LAW
The Law on Protection of Personal Data, Official Journal of Montenegro, nos. 79/2008, 70/2009, 44/2012 and 22/2017, (DP Law) is
the governing data protection law. It was first enacted in December 2008 and last amended in April of 2017.
The Montenegrin Parliament is expected to adopt a new Data Protection Law to harmonize its data protection law with the EU
General Data Protection Regulation (GDPR). However, there is no certainty when exactly, i.e. within which timeframe such
adoption (and further implementation) should occur.
DEFINITIONS
Definition of personal data
The DP Law defines personal data as any information relating to an identified or identifiable data subject. Data subjects are natural
persons whose identity is or can be determined, directly or indirectly, in particular by reference to a personal identification
number or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.
Definition of sensitive personal data
Under the DP Law, sensitive personal data is data relating to:
Ethnicity or race
Political opinion, or religious or philosophical belief
Trade union membership
Information on health condition and sexual life
NATIONAL DATA PROTECTION AUTHORITY
The Agency for Protection of Personal Data and Free Access to Information (DPA) is the local data protection authority. The DPA is currently
located at:
Bulevar Svetog Petra Cetinjskog 147 Podgorica
For more information see the DPA’s website at www.azlp.me
REGISTRATION
Each data controller must do the following:
https://www.dlapiperdataprotection.com
http://www.azlp.me/me/agencija
http://www.azlp.me/me/agencija
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Montenegro 722 | | | www.dlapiperdataprotection.com
Register as a data controller (this registration as a controller is to be performed only once)
Separately register each database of personal data (‘Database’) which it intends to establish, before the database is
established.
Both registrations must be submitted online through specific forms, which are accessible via the DPA’s website. The type and
scope of the information that must be included in these forms is explicitly prescribed by the DP Law ( , the data controller’seg
name and address of its registered seat, name of the Database, legal basis for the processing and purpose of the processing, types
of processed data, categories of data subjects, (if applicable) information on any data transfers out of Montenegro). Any significant
change to the registered data processing activities, subsequent to the registration should be notified to and registered with the
DPA as well.
Exceptionally ( , if the intended data processing represents a special risk for the rights and freedoms of individuals), a dataie
controller may, depending on the circumstances of each particular case, be obliged to obtain the DPA’s prior approval for such
processing ( , if biometric data is to be processed without the data subject’s consent).eg
DATA PROTECTION OFFICERS
Under the DP Law, a data controller is required to appoint a DPO subsequent to the Database’s establishment. However, a DPO
is not required if the data controller has less than ten employees involved in the processing of personal data.
COLLECTION & PROCESSING
A prerequisite for the legitimate processing of personal data is to obtain the data subject’s valid, informed consent. The consent
requirements are explicitly described in the DP Law ( , data subjects have to be informed about the purpose and legal basis foreg
the respective processing). The processing of personal data without consent is only allowed under the exceptions listed in the DP
Law, if the processing is necessary to meet the data controller’s statutory obligations under the law or for the protection of(eg,
life and other vital interests of the data subject who is not capable to personally consent).
As a general matter, in order to comply with the provisions under the DP Law, the processing has to be done in a fair and lawful
manner, the type and scope of processed data must be proportionate to the purpose of the respective processing, the data should
not be retained longer than necessary in order to meet the defined purpose, and the data has to be accurate, complete and
up-to-date.
TRANSFER
Under the DP Law, personal data may be transferred to countries or international organizations, where an adequate level of
personal data protection exists, subject to the DPA’s approval. The DPA issues such approval only where it establishes that
adequate measures for the protection of personal data are undertaken (criteria for the adequacy assessment include, for example,
the type of the data and the statutory rules in force in the country to which the data is to be transferred).
However, in certain cases the DPA’s approval is not required for data transfers out of Montenegro, as explicitly prescribed by the
DP Law if the data subject consented to the transfer and was made aware of possible consequences of such transfer, or the(eg,
data is transferred to the European Union or European Economic Area or to any country that the EU Commission has
determined ensure adequate level of the data protection).
SECURITY
The DP Law requires that both data controllers and processors undertake technical, personnel and organizational measures for
the protection of personal data against loss, destruction, unauthorized access, alteration, publication and misuse. Further,
individuals who process personal data are required to keep the processed personal data confidential.
Additionally, data controllers are required to establish internal rules regarding their personal data processing and protection of
same (which should include identifying the measures undertaken). Data controllers should also determine which employees have
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Montenegro 723 | | | www.dlapiperdataprotection.com
access to the processed data (and to which of this data), as well as the types of data which may be disclosed to other users (and
the conditions for the respective disclosure). Finally, if the processing is performed electronically, a data controller is required to
ensure that certain information on the use and recipients of the respective data, is automatically kept in the information system.
BREACH NOTIFICATION
There is no data security breach notification requirement under the DP Law. However, the Law on Electronic Communications
(‘Official Journal of Montenegro’, nos. 40/2013, 56/2013, 2/2017 and 49/2019) (‘EC Law’) does impose a duty on operators to,
without undue delay, notify the Montenegrin Agency for Electronic Communications and Postal Activity (EC Agency) and the DPA
of any breach of personal data or privacy of the data subjects. The affected data subject should also be notified if the breach may
have a detrimental effect to their personal data or privacy (unless the EC Agency issues an opinion that such notification is not
needed). Failure to comply with any of the above duties is subject to liability and fines, ranging from EUR 6,000 to EUR 30,000 for
a legal entity, and from EUR 300 to EUR 3,000 for a responsible person within a legal entity, and, if some material gain was
obtained through the violation, the protective measure, which includes seizure of the respective gain, may be imposed in addition
to the above monetary fine.
ENFORCEMENT
The DPA is the competent authority for the DP Law’s enforcement. It is authorized and obliged to monitor implementation of the
DP Law, both ex officio, and upon a third-party complaint.
When monitoring the DP Law’s implementation, the DPA is authorized to pass the following decisions:
Order removal of the existing irregularities within certain period of time
Temporarily ban the processing of personal data which is carried out in violation of the DP Law
Order deletion of unlawfully collected data
Ban transfer of data outside of Montenegro or its disclosure to data recipients carried out in violation of the DP Law
Ban data processing by an outsourced data processor if it does not fulfil the data protection requirements or if its
engagement as a data processor is carried out in contravention to the DP Law.
The DPA’s decisions may not be appealed, but an administrative dispute before the competent court may be initiated against the
same.
The DPA may also file a request for the initiation of civil proceeding. The offenses and sanctions are explicitly prescribed by the
DP Law, which includes monetary fines ranging from €500 to €20,000 for a legal entity and ranging from €150 to €2,000 for a
responsible person in a legal entity.
There exists potential criminal liability. The unauthorized collection and use of personal data is a criminal offense under the
Montenegrin Criminal Code, punishable with a fine (in an amount to be determined by the court) or imprisonment up to one year.
Both natural persons and legal entities can be subject to criminal liability.
ELECTRONIC MARKETING
Electronic marketing is not governed by the DP Law. Nevertheless, this law does govern protection of personal data used in direct
marketing. In that regard, the law requires that data subjects have to be provided with a possibility to object to the processing of
their personal data for direct marketing purposes prior to the commencement of the respective processing. Regarding the use of
sensitive personal data in direct marketing, it is explicitly prescribed that a data subject’s consent is a requirement for the
respective processing.
Although not governed by the DP Law, there are other regulations which govern electronic marketing, including the Law on
Electronic Trade (‘Official Journal of the Republic of Montenegro’, no. 80/04 and ‘Official Journal of Montenegro’, nos. 41/10, (…),
56/13) (‘ET Law’). In this respect, one of the most important rules prescribed by the ET Law is the rule that any sending of
unsolicited commercial messages is not allowed unless prior consent of the recipients of the respective marketing is obtained. It is
strictly forbidden to send any marketing messages to individuals who have indicated that they do not want to receive such (ie,
opted-out) (and a service provider who sends unsolicited commercial messages is required to establish and maintain a record of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Montenegro 724 | | | www.dlapiperdataprotection.com
individuals who opted-out). A violation of the respective rules is subject to liability, with fines ranging from EUR 500 to EUR
17,000 (for a legal entity) and ranging from EUR 100 to EUR 1,500 (for a responsible person in a legal entity). For particularly
serious violations or repeated violations, an order banning or suspending the business activity (lasting from three months to six
months) may be imposed on an entity responsible for the respective violations).
ONLINE PRIVACY
There is no specific law or regulation explicitly governing online privacy, including cookies. Accordingly, the general data
protection rules, as introduced by the DP Law, are applicable to online privacy, to the extent personal data is processed.
On the other hand, the EC Law, as defined in , introduces relevant rules that are mandatory for the operatorsBreach notification
under this law. For example, a public electronic communication services’ user is particularly entitled to the protection of their
electronic communications’ secrecy in compliance with the DP Law.
Further, the EC Law imposes explicit rules on traffic data and location data. Under these rules, operators are:
Required to retain certain traffic data and location data for certain purposes explicitly set out by the law (for example, for
the detection and criminal prosecution of criminal offenders), whereas the retention period should last at least six months
and would not be longer than two years (‘Retention Obligation’), keeping in mind that this obligation does not apply to
data which reveals a content of electronic communications.
Regarding traffic data related to subscribers/users which is not subject to the Retention Obligation, an operator is
required to delete this data if it is no longer needed for the communication’s transmission or can keep it, but only if it
modifies the respective data in a way that it cannot be linked to a particular person. Apart from this, it is also prescribed
that:
If the traffic data’s retention purpose is to use it for the calculation of the costs of the relevant
services/interconnection, it can be retained for as long as claims regarding the respective costs can legally be
requested, but under condition that an user is informed on its processing’s purpose and duration, and that
If the traffic data’s processing purpose is to promote and sell electronic communication services or to provide
value added services, such processing is allowed, but only with the data subjects’ prior consent (which can be
withdrawn at any time)
Regarding location data which is not subject to the Retention Obligation, an operator is allowed to process it but only
with the data subject’s consent (which can be withdrawn at any time) or if the respective data is modified in a way that it
cannot be linked to a particular person without consent.
Failure to comply with any of the above rules regarding the processing of traffic or location data which is not covered by the
above-identified Retention Obligation, is subject to offence liability and fines in range from EUR 4,000 to EUR 20,000 for a legal
entity, and in range from EUR 200 to EUR 2,000 for a responsible person in a legal entity.
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/montenegro/breach-notification.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Montenegro 725 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Karanovic & Nikolic
www.karanovic-nikolic.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Milena Rončević Pejović
Attorney at Law in cooperation with Karanovi & Partners
Karanovic & Partners
T +382 20 238 991/ +382 20 335 001
milena.roncevic@karanovicpartners.com
Sanja Spasenović
Attorney at Law in cooperation with Karanovi & Partners
Karanovic & Partners
T +381 11 3094 200/ +381 11 3955 413
sanja.spasenovic@karanovicpartners.com
https://www.dlapiperdataprotection.com
http://www.karanovic-nikolic.com/
https://www.dlapiperdataprotection.com/scorebox/
https://www.karanovicpartners.com/
https://www.karanovicpartners.com/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Morocco 726 | | | www.dlapiperdataprotection.com
MOROCCO
Last modified 28 January 2019
LAW
Morocco’s law governing privacy and data protection is Law No 09-08, dated February 18, 2009 relating to protection of
individuals with regard to the processing of personal data and its implementation Decree n° 2-09-165 of May 21, 2009 (together
the DP Law).
DEFINITIONS
Definition of personal data
Pursuant to Article 1 of the DP Law, personal data is defined as any information regardless of their nature, and format, relating to
an identified or identifiable person.
Definition of sensitive personal data
Sensitive personal data is defined under the law as personal data which reveal the racial or ethnic origin, political opinions,
religious or philosophical beliefs or union membership of the person concerned or relating to his health, including his genetic data
(article 1.3 of the DP Law).
NATIONAL DATA PROTECTION AUTHORITY
The relevant authority is the Data Protection National Commission ( ).Commission Nationale de Protection des Données Personnelles
REGISTRATION
The processing of personal data is subject:
To a prior declaration to be filed with the Personal Data Protection Commission, and
To the prior authorization of the Data Protection National Commission (Commission Nationale de Protection des Données
) when the processing concerns any of the following:Personnelles
Sensitive data ( , revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or tradeeg
union membership, including genetic data)
Using personal data for purposes other than those for which they were initially collected
Genetic data, except for those used by health personnel and that respond to medical purposes
Data relating to offenses, convictions or security measures, except for those used by the officers of the court
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Morocco 727 | | | www.dlapiperdataprotection.com
Data which includes the number of the national identity card of the concerned person
The declaration and authorization includes a commitment that the personal data will be treated in accordance with the DP Law.
The prior declaration and authorization shall include, without limitation, the following information:
The name and address of the person in charge of the processing and, if applicable, its representative
The name, characteristics and purpose(s) of the intended processing
A description of the category or categories of data subjects, and the data or categories of personal data relating thereto
The recipients or categories of recipients to whom the data are likely to be communicated
The intended transfers of data to foreign states
The data retention time
The authority with which the data subject may exercise, if any, the rights granted to him / her by law, and the measures
taken to facilitate the exercise of these rights
A general description allowing a preliminary assessment of the appropriateness of the measures taken to ensure the
confidentiality and security of processing, and
Overlap, interconnections, or any other form of data reconciliation and their transfer, subcontracting, in any form, to third
parties, free of charge or for consideration
DATA PROTECTION OFFICERS
There is no requirement for a data protection officer under the DP Law.
COLLECTION & PROCESSING
The personal data must be processed in accordance with the following principles:
Treated fairly and lawfully
Collected for specific, explicit and legitimate purposes
Adequate, relevant and not excessive
Accurate and necessary and kept up-to-date
Kept in a form enabling the person concerned to be identified
As a general rule, the processing of a personal data must be subject to the prior consent of the relevant data subject.
However, the processing of personal data can be performed without the consent of the relevant data subject provided that the
information relates to the:
Compliance with a legal obligation to which the relevant data subject or the person in charge of the processing are
submitted
Execution of a contract to which the relevant data subject is party or in the performance of pre-contractual measures
taken at the request of the latter
Protection of the vital interests of the relevant data subject, if that person is physically or legally unable to give its consent
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Morocco 728 | | | www.dlapiperdataprotection.com
Performance of a task of public interest or related to the exercise of public authority, vested in the person in charge of
the processing or the third party to whom the data are communicated
Fulfillment of the legitimate interests pursued by the person in charge of the processing or by the recipient, subject not to
disregard the interests or fundamental rights and freedoms of the relevant data subject
TRANSFER
Prior authorization from the National Commission is required before any transfer of personal data to a foreign state.
Further, the person in charge of the processing operation can transfer personal data to a foreign state only if the said state ensures
under its applicable legal framework an adequate level of protection for the privacy and fundamental rights and freedoms of
individuals regarding the processing to which these data is or might be subject, unless:
The data subject has expressly consented to the transfer
The transfer and subsequent processing is required for:
Compliance with a legal obligation to which the concerned person or the person in charge of the processing are
submitted
The execution of a contract to which the concerned person is party or in the performance of pre-contractual
measures taken at the request of the latter
The protection of the vital interests of the relevant data subject, if that person is physically or legally unable to
give its consent
Performance of a task of public interest or related to the exercise of public authority, vested in the person in
charge of the processing or the third party to whom the data are communicated
Fulfillment of the legitimate interests pursued by the data controller or by the recipient, when not outweighed by
the interests or fundamental rights and freedoms of the relevant data subject
In practice, we notice that CNDP interprets the exception of legitimate interests of the data processor very restrictively. CNDP is
in general more comfortable relying on the data subject’s consent regarding any transfers to a foreign state.
SECURITY
Article 23 of the DP Law provides that an organization is required to implement all technical and organizational measures to
protect personal data in order to prevent it being damaged, altered or used by a third party who is not authorized to have access,
as well as to protect it against any form of illicit processing.
Additionally, in appointing processors and subcontractors an organization must choose a processor or subcontractor who
provides sufficient guarantees with regard to the technical and organizational measures relating to the processing to be carried out
while ensuring compliance with these measures.
BREACH NOTIFICATION
There is no requirement for a data protection officer under the DP Law, except, where relevant, through the application of
GDPR.
ENFORCEMENT
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Morocco 729 | | | www.dlapiperdataprotection.com
The Data Protection National Commission enforces compliance of the DP Law.
Article 50 to 64 provide that non-compliance with the DP Law is punishable by a fine ranging from DH10,000 to DH600,000 and /
or imprisonment between three months and four years.
If the offender is a legal person, and without prejudice to the penalties which may be imposed on its officers, penalties of fines shall
be doubled.
In addition, the legal person may be punished with one of the following penalties:
The partial confiscation of its property
Seizure of objects and things whose production, use, carrying, holding or selling is an offense
The closure of the establishment(s) of the legal person where the offense was committed
ELECTRONIC MARKETING
Direct marketing by means of an automated calling machine, a fax machine, email or a similar technology, which uses, in any form
whatsoever, an individuals’ data without their express prior consent to receive direct prospecting is prohibited.
However, direct marketing via email may be allowed if the recipient’s email address has been received directly from him / her.
In the absence of consent, unwanted emails can only be sent if all of the following conditions are satisfied:
The contact details were provided in the course of a sale
The marketing relates to a similar product
The recipient was given a method to opt out of the use of their contact details for marketing when they were collected
ONLINE PRIVACY
The general data protection principles under the DP Law apply.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Morocco 730 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Christophe Bachelet
Partner
T +33 140 152 559
Christophe.Bachelet@dlapiper.com
Mehdi Kettani
Partner
Mehdi.Kettani@dlapiper.com
Kawtar Bedraoui Idrissi
Associate
T +212(0)520 42 78 33
kawtar.bedraoui@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mozambique 731 | | | www.dlapiperdataprotection.com
MOZAMBIQUE
Last modified 10 December 2021
LAW
In Mozambique there is no specific legislation on data protection or privacy. However, there are other sources of law that impose
some privacy obligations, including:
The Civil Code (Decree-Law no. 47344, of November 25, 1966, in force in Mozambique through Edict no. 22869, dated
September 4, 1967)
The Penal Code (Law n.° 24/2019, of December 24)
The Labour Law (Law n.º 23/2007, of August 1)
The Electronic Transactions Law (Law n.º 3/2017, of January 9)
In addition, the Constitution of the Republic of Mozambique provides that all citizens are entitled to the protection of their private
life and have the right to honor, good name, reputation, protection of their public image and privacy. Further, Article 71 of the
Constitution identifies the need to legislate on access, generation, protection and use of computerized personal data (either by
public or private entities); however, implementing legislation has not yet been approved.
DEFINITIONS
Definition of personal data
The Electronic Transactions Law defines personal data as any information in relation to a natural person which can be directly or
indirectly identified by reference to one or more factors, for example, an identification number.
Definition of sensitive personal data
There is no law defining sensitive personal data. However, the Constitution of the Republic of Mozambique imposes restrictions
on recording and handling any individually identifiable information concerning a person’s political, philosophical or ideological
beliefs, religious beliefs, membership in a political party or trade union and (particulars) related to the person’s privacy.
NATIONAL DATA PROTECTION AUTHORITY
There is no data protection authority in Mozambique.
REGISTRATION
There is no data protection registration requirement in Mozambique.
DATA PROTECTION OFFICERS
The Electronic Transactions Law requires the data processor to appoint someone responsible for compliance of the provisions
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mozambique 732 | | | www.dlapiperdataprotection.com
related to electronic personal data protection.
COLLECTION & PROCESSING
Under the Constitution of the Republic of Mozambique, individually identifiable information, concerning to political, philosophical
or ideological beliefs, religious beliefs, membership in a political party or trade union and (particulars) related to the person’s
privacy may not be stored or processed in a database.
TRANSFER
The law does not generally restrict cross-border transfers of personal information. The Constitution of the Republic of
Mozambique imposes restrictions on disclosures of personal information to third parties.
SECURITY
Under the Electronic Transactions Law (Law n.º 3/2017, of January 9), the person / entity responsible for processing electronic
data, must protect personal data against risks, losses, unauthorized access, destruction, use, modification or disclosure.
BREACH NOTIFICATION
There is no breach notification requirement in Mozambique.
ENFORCEMENT
Under the Electronic Transactions Act, a violation of the data protection duty or the duties of a data processor is subject to a fine
of between 30 to 90 minimum wage salaries of the public administration sector, in the absence of a more serious punishment.
The Penal Code (Law n.° 24/2019 of December 24) provides for certain cybercrimes, such as intrusion of automated database,
which is subject to imprisonment of up to two years and a corresponding fine. There are also other cybercrimes such as fraud
through electronic means and unauthorized use of data resulting in unjust enrichment, which are subject to imprisonment
generally from a year up to five years and a corresponding fine. The new Penal Code attempts to bridge the gap by identifying
cybercrimes related to data protection which are punishable.
However, given that Mozambique does not have specific data protection laws nor a specific authority responsible for overseeing
data protection matters, enforcement of data protection-related matters is minimal.
ELECTRONIC MARKETING
The rules applicable to electronic advertisement and marketing are provided under the Advertisement Code (Decree n.º 38/2016,
of August 31) and the Electronic Transactions Law (Law n.º 3/2017, of January 9).
Under the Electronic Transactions Law, express consent from a recipient is required prior to sending direct marketing
communications via automated dialing systems, fax machines and email, unless one of the following applies:
If the sender obtained the contact details of the recipient during the sale or negotiations for the sale of a product or
service to the recipient
The direct marketing refers to similar products or services to those of the recipient
At the moment of initial collection of the data, the recipient was offered the option to refuse of use of his contact details,
and decided not to refuse
If the recipient did not refuse the use of its data in any subsequent communications
Under the Advertisement Code, electronic marketing messages should be clearly identified and include sufficient information, so as
to allow the common recipient to easily understand all of the following:
The nature of the message
The advertiser
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Mozambique 733 | | | www.dlapiperdataprotection.com
The promotional offers, such as discounts, prizes, gifts and promotional contests and games, as well as the conditions to
which they are bound (if applicable)
All direct marketing message must provide recipients with information about how to opt out of further marketing
communications, as well as the identity details of the source from which the contact details of the consumer have been obtained.
ONLINE PRIVACY
Other than the above general rule, there are no other rules applicable to online privacy.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Eduardo Calu
Managing Partner
SAL & Caldeira Advogados, Lda.
T +258 21 241 400
ecalu@salcaldeira.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Myanmar 734 | | | www.dlapiperdataprotection.com
MYANMAR
Last modified 13 December 2021
LAW
There is no general data protection law in Myanmar. Relevant laws on data protection and privacy can be found in various
legislation, which include:
Financial Institutions Law (2016)
Telecommunications Law (2013)
Notification 116/97 of the Ministry of Finance and Revenue
Law Relating to Private Health Care Services (2007), and
Electronic Transactions Law (2004) and its 2021 amendment.
DEFINITIONS
Definition of Personal Data
Personal Data means any information that relates to an identified or identifiable living individual. (Section 2(l) of Electronic
Transaction Law as amended in 2021).
Definition of Sensitive Personal Data
No definition provided.
NATIONAL DATA PROTECTION AUTHORITY
None.
REGISTRATION
N/A
DATA PROTECTION OFFICERS
There is no definition of Data Protection Officers, but there is a definition for Personal Data Administrator. The Personal Data
Administrator (“ ”) means “a person and its staff authorized by a government department or an entity having power toPDA
conduct the collecting, storing and using of personal data according to the provision of this law or any existing law.” (Section 2(m)
of Electronic Transaction Law as amended in 2021).
COLLECTION & PROCESSING
By implication from relevant laws, collection and processing of personal data requires consent.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Myanmar 735 | | | www.dlapiperdataprotection.com
TRANSFER
By implication from relevant laws, transfer of personal data requires consent.
SECURITY
By implication from relevant laws, personal data must be kept with reasonable security arrangements.
BREACH NOTIFICATION
No obligation.
ENFORCEMENT
None so far as at December 13, 2021.
ELECTRONIC MARKETING
There is no specific law; however, electronic marketing would generally be governed by the Competition Law (2015) and the
Consumer Protection Law (2019).
ONLINE PRIVACY
There is no specific law; however, the Law Protecting the Privacy and Security of Citizens (2017) and Electronic Transactions Law
deal with privacy of communications and personal data.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Nwe Oo
Senior Associate
Tilleke & Gibbins
T +95 772 440 001
nweoo@tilleke.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Namibia 736 | | | www.dlapiperdataprotection.com
NAMIBIA
Last modified 7 December 2021
LAW
Namibia has not enacted comprehensive data privacy legislation. However, various sector-specific laws are in place to protect
client information, including in the legal and banking sectors.
Namibia recognizes the right to privacy as a fundamental human right under Article 13 of the Namibian Constitution. Accordingly,
all persons have a right to privacy in their homes and communications. The right to privacy is limited as required by law and in the
interest of protecting:
national security and public safety
the nation’s economy
health and morals
against disorder and crime
the rights and freedoms of others
The Namibian Government is currently drafting a Data Protection Policy that, although not yet public, is expected to:
protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to
data processing
protect Namibian citizens from abuse of their personal data, and
harmonize Namibia’s data protection policy and legal framework with regional and international standards to promote the
free flow of personal data under conditions of assurance and trust
DEFINITIONS
Definition of Personal Data
Not defined.
Definition of Sensitive Personal Data
Not defined.
NATIONAL DATA PROTECTION AUTHORITY
There is no national data protection authority in Namibia.
REGISTRATION
There is no registration requirement.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Namibia 737 | | | www.dlapiperdataprotection.com
DATA PROTECTION OFFICERS
MICT
COLLECTION & PROCESSING
There are no restrictions on the collection and processing of personal data.
TRANSFER
There are no data transfer restrictions in place.
SECURITY
There are no data security requirements.
BREACH NOTIFICATION
There are no requirements to report data breaches to any individual or regulatory body.
ENFORCEMENT
There is no enforcement mechanism in place.
ELECTRONIC MARKETING
There are no electronic marketing regulations.
ONLINE PRIVACY
There are no specific laws that regulate the manner in which personal data may be stored or transmitted online.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Peter Johns
Director
Ellis Shilengudwa Incorporated
T +264 61 242224
peter@esinamibia.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nepal 738 | | | www.dlapiperdataprotection.com
1.
2.
3.
4.
5.
NEPAL
Last modified 22 December 2021
LAW
Individual Privacy Act, 2018 (2075) (“ ”)Privacy Act
Individual Privacy Regulation, 2020 (2077) (“ ”)Privacy Regulation
National Penal Code, 2017 (2074) (“P ”)enal Code
Advertisement Act, 2019 (2076) (“ ”)Advertisement Act
Advertisement Regulation, 2020 (2076) (“ ”)Advertisement Regulation
DEFINITIONS
Definition of Personal Data
Privacy Act defines “Personal information” as the following information related to any person:
his or her caste, ethnicity, birth, origin, religion, color or marital status;
his or her education or academic qualification;
his or her address, telephone or address of electronic letter (email);
his or her passport, citizenship certificate, national identity card number, driving license, voter identity card or details of
identity card issued by a public body;
a letter sent or received by him or her to or from anybody mentioning personal information;
his or her thumb impressions, fingerprints, retina of eye, blood group or other biometric information;
his or her criminal background or description of the sentence imposed on him or her for a criminal offence or service of
the sentence;
matter as to what opinion or view has been expressed by a person who gives professional or expert opinion, in the
process of any decision.
Definition of Sensitive Personal Data
Privacy Act has listed following information as the “sensitive information”:
his or her caste, ethnicity or origin;
political affiliation;
religious faith or belief;
physical or mental health or condition;
dexual orientation or event relating to sexual life;
fetails relating to property.
NATIONAL DATA PROTECTION AUTHORITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nepal 739 | | | www.dlapiperdataprotection.com
Not applicable.
REGISTRATION
Not applicable.
DATA PROTECTION OFFICERS
Not applicable.
COLLECTION & PROCESSING
Collection
The collection of data by any public body or body corporate is allowed with the consent of the concerned person. In addition to
this, the Privacy Act provides an exclusive provision in the context of the collection of data. It provides that no one except the
official authorized under law or the person permitted by such official shall collect, store, protect, analyze, process or publish the
personal information of any person. Officer authorized under the law means those officials who have been authorized by other
laws to collect the information such as investigating authority, collection of prescribed information by the civil service officer.
Processing
Privacy Act prohibits to process the sensitive information. However, the sensitive information can also be processed in following
circumstances:
in the course of alleviation of disease, public health protection, disease identification, health treatment, management of
health institution and providing health service by the health worker, without insulting or letting the concerned person feel
inferior;
if the concerned person has published the information himself or herself.
TRANSFER
Currently, there are no restrictions on the geographic transfer of data. However, if the Information Technology Bill, 2019 (2075)
(which is currently tabled in the parliament of Nepal), if implemented in its current form, then the prescribed data held by
governmental, public, financial, and health-related authorities would be prohibited for export outside Nepal. Also, Bill to amend
Record Protection Act 1989 (2046) would further prohibit to export records of national importance outside Nepal.
SECURITY
The collected data should only be used for the purpose for which such data have been collected. Further, the Privacy Act obligates
the public body which has the collected information, to make appropriate arrangements for the protection of collected
information.
BREACH NOTIFICATION
Not applicable.
ENFORCEMENT
As aforementioned, the prevailing laws have not designated Data Protection Authority. Nonetheless, the Privacy Act and Criminal
Code provide a complaint mechanism.
Complaint of the offense under the Privacy Act is processed either by filling a plaint at the concerned district court by the
concerned person or filling FIR at the relevant police office. In relation to the latter one, the concerned police office through the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nepal 740 | | | www.dlapiperdataprotection.com
government office would file a charge sheet in the concerned district court. Such procedure of directly filing a complaint at the
concerned district court or police office is determined based on the nature of the offense. In relation to an offense under the
Criminal Code, the FIR process as aforementioned is adopted.
ELECTRONIC MARKETING
The matters related to marketing are regulated by the Advertisement Act and Advertisement Regulation. The definition as
provided under the Advertisement Act also includes inter alia advertisement done through electronic medium, online or social
media.
Advertisement-oriented SMS or Email cannot be sent to any person without obtaining the said concerned person’s consent.
ONLINE PRIVACY
Every person has the right to privacy in terms of data available in electronic means. Such data cannot be used or share such data
without the consent of the concerned person. In relation to the cookies and location data, there is no exclusive provision for it.
However, if a data subject’s personal information or location data is collected using cookies or otherwise, the concerned entity
must adhere to the Privacy Act and further such information must be used for the same purpose as it was collected for.
KEY CONTACTS
Pioneer Law Associates
pioneerlaw.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Anup Raj Upreti
Managing Partner
Pioneer Law Associates
T +977-980165418
anup@pioneerlaw.com
Suman Siwakoti
Associate
Pioneer Law Associates
T +977-9801079825
suman@pioneerlaw.com
Sujan Shrestha
Associate
Pioneer Law Associates
T +977-9801109841
sujan.shrestha@pioneerlaw.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 741 | | | www.dlapiperdataprotection.com
NETHERLANDS
Last modified 21 January 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However,
there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own
domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the
Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The Dutch GDPR Implementation Act ( the ) constitutes the localUitvoeringswet AVG, Implementation Act
implementation of the GDPR in the Netherlands. The Implementation Act follows a policy-neutral approach, meaning that
the requirements of the previous Dutch Data Protection Act ( ) are maintained insofar asWet bescherming persoonsgegevens
possible under the GDPR. The Implementation Act provides for, among other things, national rules where this is
necessary for the implementation of GDPR provisions on the position of the regulatory authority or the fulfilment of
discretionary powers provided by the GDPR.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 742 | | | www.dlapiperdataprotection.com
The GDPR creates more restrictive rules for the processing of (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the of personal data. Processing has an extremely wide meaning, and includes any set ofprocessing
operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a or a . The controller is the decision maker, the person who “controller processor
” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The definitions are largely the same as in Article 4, GDPR. In addition, the Implementation Act defines “personal data
concerning criminal law matters” as personal data concerning criminal convictions and offences or related security
measures as referred to in Article 10, GDPR, as well as personal data relating to a prohibition imposed by the courts for
unlawful or objectionable conduct.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of . Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called lead supervisory authority (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other concerned authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The Dutch Data Protection Authority ( ) has been appointed by law as the supervisory dataAutoriteit Persoonsgegevens
protection authority and supervises compliance with the GDPR and the Implementation Act.
The Dutch Data Protection Authority’s contact details are as follows:
Autoriteit Persoonsgegevens
Postbus 93374
2509 AJ DEN HAAG
Telephone number: (+31) – (0)70 – 888 85 00
https://autoriteitpersoonsgegevens.nl/en
REGISTRATION
https://www.dlapiperdataprotection.com
https://autoriteitpersoonsgegevens.nl/en
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 743 | | | www.dlapiperdataprotection.com
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have expert knowledge (Article 37(5)) of data protection laws and practices, though it is possible to outsource the
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
The Implementation Act (Article 39) provides more detailed information regarding the secrecy requirement set out in
Article 38(5) GDPR, by stipulating that the DPO must maintain the secrecy of any information that becomes known to
him or her pursuant to a complaint by or request from a data subject, unless the data subject agrees to disclosure.
Organisations must register their DPO with the Dutch Data Protection Authority . The(Autoriteit Persoonsgegevens)
registration form is . available here
A special email address and phone number is available for registered DPOs to contact the Dutch Data Protection
https://www.dlapiperdataprotection.com
https://autoriteitpersoonsgegevens.nl/nl/aanmeld%C3%ADngsformulier-functionaris-voor-de-gegevensbescherming-fg
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 744 | | | www.dlapiperdataprotection.com
Authority in case of questions with regard to the tasks of DPOs and GDPR compliance.
The contact details are as follows:
Email address: FG@autoriteitpersoonsgegevens.nl
Phone number: (+31) (0)70-8888660
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (purpose limitation principle)
Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
Accurate and where necessary kept up-to-date (accuracy principle)
Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (storage limitation principle)
Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (integrity and confidentiality principle)
The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle).
Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and
appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
With the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time)
Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract
Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies)
Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller
Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 745 | | | www.dlapiperdataprotection.com
With the explicit consent of the data subject
Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement
Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent
In limited circumstances by certain not-for-profit bodies
Where processing relates to the personal data which are manifestly made public by the data subject
Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in
their legal capacity
Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards
Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices
Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1)
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorised by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to ‘re-purpose’ personal data – i.e. use data collected for one purpose for a new purpose which
was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle
of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
Any link between the original purpose and the new purpose
The context in which the data have been collected
The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions
are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
The possible consequences of the new processing for the data subjects
The existence of appropriate safeguards, which may include encryption or pseudonymization
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 746 | | | www.dlapiperdataprotection.com
The following information must be provided (Article 13) at the time the data are obtained:
The identity and contact details of the controller
The data protection officer’s contact details (if there is one)
Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing
The recipients or categories of recipients of the personal data
Details of international transfers
The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability
Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
The consequences of failing to provide data necessary to enter into a contract
The existence of any automated decision making and profiling and the consequences for the data subject
In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 747 | | | www.dlapiperdataprotection.com
a.
b.
c.
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision taking, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
Necessary for entering into or performing a contract
Authorized by EU or Member State law
The data subject has given their explicit ( opt-in) consentie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Special categories of personal data (Article 9)
Article 9(2) of the GDPR provides for a number of exceptions under which special categories of personal
data may lawfully be processed. Certain of these exceptions require a basis in Member State law.
Division 3.1 of the Implementation Act provides for various exceptions for the processing of different
types of special categories of personal data, subject to stringent conditions. Important examples include
exceptions for:
Scientific or historical research or statistical purposes
The processing of personal data revealing racial or ethnic origin
The processing of personal data revealing political opinions for the performance of public duties
The processing of personal data revealing religious or philosophical beliefs for spiritual care
Genetic, biometric and health data
Criminal convictions and offences data (Article 10)
The processing of criminal conviction or offences data is prohibited by Article 10 of the GDPR, except
where specifically authorized under relevant Member State law.
Division 3.2 of the Implementation Act provides several exceptions for the processing of criminal
convictions and offences data.
The following general grounds for exemptions for processing criminal convictions and offences data apply:
Explicit consent by the data subject
Protection of a data subject’s vital interests
Processing related to personal data manifestly made public by the data subject
Processing necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in
their judicial capacity
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 748 | | | www.dlapiperdataprotection.com
a.
b.
Processing necessary for reasons of substantial public interest
Processing necessary for scientific or historical research purposes or statistical purposes in accordance with
Article 89(1) of the GDPR, and the conditions referred to in Section 24(b) to (d) of the Implementation Act have
been met
Specific exceptions may apply on the basis of Article 33 of the Implementation Act, where the processing is carried outeg,
by bodies that are responsible pursuant to law for applying criminal law, or where the processing is necessary in order to
assess a request from the data subject to take a decision on him or her or to provide a service to him or her.
Child’s consent to information society services (Article 8)
The Netherlands did not make use of the option to provide for a lower age limit for the processing of personal data of a
child on the basis of Article 8, GDPR.
Automated Decision Making (Article 22)
The Netherlands has made use of the possibility provided by Article 22(2)(b) GDPR, and has implemented exceptions
from the prohibition on automated individual decision-making. Article 40 of the Implementation Act sets out that Article
22(1) of the GDPR does not apply if the automated individual decision-making, other than based on profiling, is necessary
for compliance with a legal obligation to which the controller is subject or for the performance of a task carried out for
reasons of public interest. Examples provided by the Explanatory Memorandum to the Implementation Act concern
situations where there may be automated individual decision making on the basis of strictly individual characteristics, ineg,
the case of awarding certain allowances ( study allowances, child allowances), where there is no reason to requireeg,
human intervention. In such cases, the controller must take suitable measures to safeguard the data subject’s rights,
freedoms and legitimate interests. Such suitable measures will in any case have been taken if the right to obtain human
intervention, the data subject’s right to express his or her point of view and the right to contest the decision, have been
safeguarded.
Processing of national identification number (Article 87)
Article 87 of the GDPR sets out that Member States may further determine the specific conditions for the processing of a
national identification number. The Netherlands has made use of this possibility: Article 46 of the Implementation Act sets
out that a national identification number may only be processed where explicitly allowed by law, and only for those
purposes stipulated by the relevant law.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes among others binding corporate rules, standard contractual clauses. The GDPR has removed the
need which existed in some Member States under the previous law to notify and in some cases seek prior approval of standard
contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
Explicit informed consent has been obtained
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 749 | | | www.dlapiperdataprotection.com
b.
c.
d.
e.
f.
g.
a.
b.
c.
d.
The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person
The transfer is necessary for important reasons of public interest
The transfer is necessary for the establishment, exercise or defence of legal claims
The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
The transfer is made from a register which according to EU or Member State law is intended to provide information to
the public, subject to certain conditions
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State. A transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
After the European Court of Justice Decision of 16 July 2020 (Schrems II), international data transfers to countries that
don’t have an equivalent level of protection can take place, if such transfers are based on the 2021 EU Standard
Contractual Clauses (SCC). In addition, such in compliance with EDPB guidance, an transfer impact assessment take place
in order to assess whether there are reasons to believe that the laws and practices in the third country of destination
prevent the recipient from fulfilling its obligations under the SCC.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing
An important security measure in line with the GDPR applicable from 1 January 2021 is that, most online payments must be
completed with two-step verification. This is an obligation under the Payment Service Directive 2, the European directive for
payments by consumers and businesses.
The Netherlands have not implemented any specific regulations on the basis of Articles 24, 25 or 32 of the GDPR. In this
respect, the Explanatory Memorandum to the Dutch Implementation Act explains that no general standard will be
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 750 | | | www.dlapiperdataprotection.com
developed which sets out when an organization has fulfilled its technical and organizational security obligations. However,
specific sectoral codes of conduct may be implemented which may contain further concrete standards. For example, in the
health sector we see that such security standards already exist ( NEN 7510, which applies as an important informationeg,
security standard in the health sector).
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
The provisions regarding data breach notifications are mostly identical to Articles 33 and 34 GDPR.
Data breaches that require notification, should be notified to the Dutch DPA by completing an online form through the
Dutch DPA website.
The form is .available here
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define undertaking and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of undertaking. Under EU competition law case-law, there is also precedent
https://www.dlapiperdataprotection.com
https://datalekken.autoriteitpersoonsgegevens.nl/actionpage?0
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 751 | | | www.dlapiperdataprotection.com
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called look through liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
The basic principles for processing including conditions for consent
Data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
Any person who has suffered material or non-material damage as a result of a breach of the GDPR has the right to receive
compensation (Article 82(1)) from the controller or processor. The inclusion of non-material damage means that
individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
On the basis of Article 58(6) GDPR and in addition to the power to impose fines pursuant to the GDPR, the Dutch DPA
has the power to impose an administrative enforcement order ( ) or an order subject to penalty (last onder bestuursdwang
) to enforce obligations laid down by or pursuant to the Implementation Act.last onder dwangsom
ELECTRONIC MARKETING
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 752 | | | www.dlapiperdataprotection.com
The GDPR applies to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted.
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Dutch legislation
Electronic marketing is partially regulated in Article 11.7 of the Dutch Telecommunications Act (Tw). The first paragraph
of Article 11.7 of the Tw is the rules for telemarketing that does not involve human intervention. These so-called
automatic systems for transmitting commercial, idealistic or charitable communications may only be used if the consumer
has given his prior consent. As of 1 July 2021, the Dutch Telecommunications Act changed. As a main rule, also for
telemarketing with human intervention, the opt-in system will be used.
New Legislation
The ePrivacy Regulation is a proposed regulation governing the use of electronic communication services within the European
Union and is intended to replace the Directive on privacy and electronic communications (Directive 2002/58/EC). In addition to
the GDPR, the ePrivacy Regulation represents a core element of EU-level data protection. On 10 February 2021, the Council of
the European Union (‘the Council’) published a new legislative proposal, thereby launching negotiations between the Council, the
European Parliament and the European Commission.
In the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with
references to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be
replaced with the GDPR standard for consent.
ONLINE PRIVACY
Traffic Data
Traffic Data is regulated in Article 11.5 of the Tw. Traffic Data held by a public electronic communications services provider (CSP)
must be erased or anonymized when it is no longer necessary for the purpose of the transmission of a communication. However,
Traffic Data can be retained if:
It is being used to provide a value added service, and
Consent has been given for the retention of the Traffic Data.
Traffic Data can only be processed by a CSP for:
The management of billing or traffic
Dealing with customer enquiries
The prevention of fraud
The provision of a value added service (subject to consent)
Market research (subject to consent)
Location Data
(Traffic Data not included) – Location Data is regulated in Article 11.5a of the Tw. Location Data may only be processed:
If such data is being processed in anonymous form; or
With informed consent of the individual.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Netherlands 753 | | | www.dlapiperdataprotection.com
Cookie Compliance
The Netherlands implemented the E-Privacy Directive through the Dutch Telecommunications Act in Article 11.7a. The Authority
for Consumers and Markets (ACM) is entrusted with the enforcement of Article 11.7a of the Tw. In addition, in relation to cookie
compliance all privacy requirements from the GDPR must be taken into account. The Dutch Data Protection Authority (Autoriteit
Persoonsgegevens) has been appointed by law as the supervisory data protection authority and supervises compliance with the
GDPR and the Dutch GDPR Implementation Act.
The main rule is that the website operator needs to obtain prior consent from a user before using cookies (opt-in) and needs to
clearly and unambiguously inform the user about these cookies (purpose, type of cookie, etc.). Please note that the website
operator is not entitled to refuse users access to its website(s) if no consent is given. The requirement to obtain prior consent
from a user does not apply in case of functional cookies (e.g. to enable web shopping carts or language choices) and analytical
cookies that have little or no impact on the user’s privacy (e.g. for testing the effectiveness of certain banners/pages with the aim
to improve the website). In such case, the website operator still needs to inform the website visitors about the cookies.
The information collected through cookies are considered personal data, unless the party that places the cookies can prove
otherwise.
In case of violation of electronic marketing or online privacy legislation, the ACM can impose fines of up to EUR 900,000 per
violation. In some cases, the fine may be even higher and amount to a percentage of the total annual turnover. In case of violation
of the GDPR and the Dutch GDPR Implementation Act, the Dutch Data Protection Authority can impose fines up to 4% of annual
worldwide turnover, or EUR 20 million (whichever is higher).
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Richard van Schaik
Partner
T +31 20 541 9828
richard.vanschaik@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World New Zealand 754 | | | www.dlapiperdataprotection.com
NEW ZEALAND
Last modified 20 December 2021
LAW
The Privacy Act 2020 (Act) and its Information Privacy Principles (IPPs) govern how agencies collect, use, disclose, store, retain
and give access to personal information. The Act gives the Privacy Commissioner the power to issue codes of practice that modify
the operation of the Act in relation to specific industries, agencies, activities or types of personal information. The following codes
are currently in place:
Credit Reporting Privacy Code
Health Information Privacy Code
Justice Sector Unique Identifier Code
Superannuation Schemes Unique Identifier Code
Telecommunications Information Privacy Code
Civil Defence National Emergencies (Information Sharing) Code
Enforcement is through the Privacy Commissioner. The Privacy Commissioner has the power to investigate any action which
appears to interfere with the privacy of an individual and can do so either on a complaint made to the Commissioner or on the
Commissioner’s own initiative. The Privacy Commissioner can also issue compliance notices requiring agencies to do or refrain
from doing something in order to comply with the Act.
Under the Act, an agency can be any person or body of persons, whether corporate or unincorporated, and whether in the public
sector or in the private sector.
The Act has an extraterritorial scope – it applies to any actions taken by an overseas organisation in the course of carrying on
business in New Zealand, regardless of where the information is or was collected or held and where the person to whom the
information relates is located. An organisation would be treated as carrying on business in New Zealand whether or not it has a
physical place of business in New Zealand, charges any monetary payment for goods or services, or makes a profit from its
business in New Zealand.
DEFINITIONS
Definition of personal data
Personal information under the Act is defined as information about an identifiable individual and includes information relating to a
death that is maintained by the Registrar General pursuant to the Births, Deaths, Marriages, and Relationships Registration Act
1995, or any former Act.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World New Zealand 755 | | | www.dlapiperdataprotection.com
Definition of sensitive personal data
Although no differentiation is made between how different types of personal information are to be treated under the Act, the
codes of practice issued by the Privacy Commissioner may modify the operation of the Act for specific industries, agencies,
activities and types of personnel information.
Definition of agency
Agency is defined under the Act as any person or body of persons, whether corporate or unincorporated, and whether in the
public sector (including government departments) or the private sector. Certain bodies are specifically excluded from the
definition.
NATIONAL DATA PROTECTION AUTHORITY
The Privacy Commissioner’s Office
Level 8
109-111 Featherston Street
Wellington 6143
New Zealand
T +64 474 7590
F +64 474 7595
enquiries@privacy.org.nz
www.privacy.org.nz
REGISTRATION
There is no obligation on agencies to register or notify the Privacy Commissioner that they are processing personal information.
DATA PROTECTION OFFICERS
The Act requires each agency to appoint one or more individuals to be a privacy officer. The privacy officer may be within or
external to the agency (i.e. the privacy officer role may be outsourced to a third party) and does not need to be a New Zealand
citizen or reside in New Zealand.
The privacy officer’s responsibilities include the following:
The encouragement of compliance with the personal information privacy principles contained in the Act
Dealing with requests made to the agency pursuant to the Act
Working with the Privacy Commissioner in relation to investigations relating to the agency
Ensuring compliance with the provisions of the Act
COLLECTION & PROCESSING
Subject to specific exceptions, agencies may collect, store and process personal information in accordance with the 13 IPPs
summarised below.
IPP 1 – Purpose of collection of personal information
An agency must not collect personal information other than for a lawful purpose connected to the agency’s functions, and only if
the collection of the information is necessary for that purpose.
IPP 2 – Source of personal information
https://www.dlapiperdataprotection.com
http://www.privacy.org.nz
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World New Zealand 756 | | | www.dlapiperdataprotection.com
An agency must collect information directly from the relevant individual, unless one of the specified exceptions applies, which
include if collection from the individual is not practical in the circumstances, if collection from a third party would not prejudice
the interests of the individual, or if the information is publicly available.
IPP 3 – Collection of personal information from subject
Before collecting personal information, an agency has to make the relevant individual aware of certain things, such as the fact that
information is being collected, the purposes for which it will be used, and the right to access and request correction of personal
information. This is typically done by way of a privacy policy. There are several exceptions where the person collecting
information would not need to comply with IPP 3, including where compliance is not reasonably practicable in the circumstances.
IPP 4 – Manner of collection of personal information
Agencies cannot collect personal information by unlawful or unfair means, or in a manner that intrudes to an unreasonable extent
upon the personal affairs of the individual concerned. Particular care must be taken when collecting personal information from
children or young persons.
IPP 5 – Storage and security of personal information
Agencies must ensure personal information is protected by reasonable security safeguards against loss and unauthorised access,
use, modification or disclosure or other misuse. If it is necessary to give personal information to another person (e.g., a service
provider), an agency must do everything reasonably within its power to prevent unauthorised use or disclosure of that
information.
IPP 6 – Access to personal information
Where an agency holds personal information about an individual, subject to certain exceptions, if requested by the individual, the
agency must confirm whether it holds the information and grant the individual access to it. The exceptions include where the
information is not readily retrievable or:
the refusal is for the protection of the health, safety or similar of an individual
in an employment context, the information is evaluative (eg, compiled for the purpose of determining the suitability of an
individual for employment) and disclosure would breach an implied promise that was made to the person who supplied
the information
the information needs protecting because it would involve disclosure of a trade secret or be likely to unreasonably
prejudice the commercial position of the person who supplied the information, unless the public interest in disclosure
outweighs the withholding of the information
the information does not exist or cannot be found
the disclosure would involve the unwarranted disclosure of the affairs of another individual
the disclosure would breach legal professional privilege, or
the request is frivolous or vexatious, or the information requested is trivial
IPP 7 – Correction of personal information
An individual can request an agency to correct information the agency holds about the individual, or attach a statement of a
correction sought but not made. If an agency has corrected personal information or attached a statement of a correction sought
but not made, if reasonably practicable, it will inform each person or entity to whom it has disclosed that information of that
correction or statement. The agency must inform the individual of any action taken as a result of the individuals request.
IPP 8 – Accuracy of personal information to be checked before use or disclosure
Agencies must take reasonable steps to ensure personal information they hold is accurate, up to date, complete, relevant, and not
misleading.
IPP 9 – Agency not to keep personal information for longer than necessary
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World New Zealand 757 | | | www.dlapiperdataprotection.com
Agencies must not keep personal information for longer than is required for the purposes for which the information may lawfully
be used.
IPP 10 – Limits on use of personal information
Agencies must not use personal information obtained in connection with one purpose for any other purpose unless the agency
reasonably believes:
the source of the information is publicly available and it would not be unfair or unreasonable to use that information
the use of the information for the other purpose is authorised by the relevant individual
non-compliance is necessary to avoid prejudice to the maintenance of the law by any public sector agency: for the
enforcement of a law imposing a pecuniary penalty; for the protection of public revenue; or for the conduct of
proceedings before a court or tribunal
the use of the information for the other purpose is necessary to prevent or lessen a serious threat to public health or
safety, or the life or health of an individual
the other purpose is directly related to the purpose for which the information was obtained, or
the information is used in a form where the individual is not identified, or is used for statistical or research purposes and
will not be published in a form where the individual could reasonably be expected to be identified
IPP 11 – Limits on disclosure of personal information
Agencies must not disclose personal information for any purpose other than the purpose for which it was collected or a purpose
directly related to the purpose for which it was collected unless the agency reasonably believes:
the source of the information is publicly available and it would not be unfair or unreasonable to disclose that information
the disclosure is to the relevant individual
the disclosure is authorised by the relevant individual
non-compliance is necessary: to avoid prejudice to the maintenance of the law by any public sector agency; for the
enforcement of a law imposing a pecuniary penalty; for the protection of public revenue; or for the conduct of
proceedings before a court or tribunal
the disclosure of the information is necessary to prevent or lessen a serious threat to public health or safety, or the life or
health of an individual
the disclosure is necessary to enable an intelligence and security agency to perform any of its functions
the disclosure is necessary to facilitate the sale or other disposition of a business as a going concern, or
the information is to be used in a form where the individual is not identified, or is used for statistical or research purposes
and will not be published in a form where the individual could reasonably be expected to be identified
IPP 12 – Disclosure to an overseas person
Agencies must not disclose personal information to a foreign person or entity unless the agency reasonably believes:
the relevant individual authorises the disclosure after being informed by the agency that the foreign person or entity may
not be required to protect the information in a way that provides comparable safeguards to those in the Act
the foreign person or entity is carrying on business in New Zealand and the agency reasonably believes that, in relation to
the information being disclosed, the foreign person or entity is subject to the Act
the foreign person or entity is subject to privacy laws that provide comparable safeguards to those in the Act
the foreign person or entity is a participant in a prescribed binding scheme
the foreign person or entity is subject to privacy laws of a prescribed country, or
the foreign person or entity is required to protect the information in a way that provides comparable safeguards to those
in the Act (for example, pursuant to contractual clauses). New Zealand’s Privacy Commissioner has released model
contractual clauses that can be used to satisfy these exceptions, but it is not mandatory to use these exact provisions
IPP 13 – Unique identifiers
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World New Zealand 758 | | | www.dlapiperdataprotection.com
Agencies can only assign ‘unique identifiers’ to an individual if it is necessary to enable the agency to carry out one or more of its
functions efficiently. The agency must not assign an individual a unique identifier that it knows has been assigned to that individual
by another agency unless the unique identifier is being used for statistical or research purposes only. Additionally, the agency must
take reasonable steps to ensure that unique identifiers are only assigned to individuals whose identities are clearly established and
that the risk of the unique identifiers being misused is minimised. An agency must not require an individual to disclose any unique
identifier assigned to them unless the disclosure is one of the purposes, or directly related to one of the purposes, for which that
unique identifier was assigned.
TRANSFER
Generally, an agency should not disclose personal information to another entity unless the disclosure of the information is one of
the purposes in connection with which the information was obtained or is directly related to the purposes in connection with
which the information was obtained. Care must be taken that all safety and security precautions are met to ensure the
safeguarding of that personal information to make certain that it is not misused or disclosed to any other party.
Transfer of personal information to another agency to hold as the transferring agency’s agent (e.g., for safe custody or processing)
is not considered a disclosure of the information for the purposes of the Act.
Agencies must not disclose personal information to a foreign person or entity unless the agency reasonably believes:
the relevant individual authorises the disclosure after being informed by the agency that the foreign person or entity may
not be required to protect the information in a way that provides comparable safeguards to those in the Act
the foreign person or entity is carrying on business in New Zealand and the agency reasonably believes that, in relation to
the information being disclosed, the foreign person or entity is subject to the Act
the foreign person or entity is subject to privacy laws that provide comparable safeguards to those in the Act
the foreign person or entity is a participant in a prescribed binding scheme
the foreign person or entity is subject to privacy laws of a prescribed country, or
the foreign person or entity is required to protect the information in a way that provides comparable safeguards to those
in the Act (eg, pursuant to contractual clauses). New Zealand’s Privacy Commissioner has released model contractual
clauses that can be used to satisfy these exceptions, but it is not mandatory to use these exact provisions
Additionally, the Privacy Commissioner is given the power to prohibit a transfer of personal information from New Zealand to
another state, territory, province or other part of a country (State) by issuing a transfer prohibition notice (Notice) if it is satisfied
that information has been received in New Zealand from one State and will be transferred by an agency to a third State which
does not provide comparable safeguards to the Act and the transfer would be likely to lead to a contravention of the basic
principles of national application set out in Part Two of the Organisation for Economic Co-operation and Development (OECD)
Guidelines.
In considering whether to issue a Notice, the Privacy Commissioner must have regard to whether the proposed transfer of
personal information affects, or would be likely to affect any individual, the desirability of facilitating the free flow of information
between New Zealand and other States, and any existing or developing international guidelines relevant to trans-border data
flows.
On December 19, 2012 the European Commission issued a decision formally declaring that New Zealand law provides a standard
of data protection that is adequate for the purposes of EU law. This decision means that personal data can flow from the 27 EU
member states to New Zealand for processing without any further safeguards being necessary.
Following the decision in the Schrems and Schrems II cases, there have been calls to review New Zealand’s adequacy status,
primarily due to New Zealand’s membership with the Five Eyes network. However, to date (as at 20 December 2021) this has not
been acted upon by the European Commission.
SECURITY
An agency that holds personal information shall ensure that the information is kept securely and protected by such security
safeguards as are reasonable in the circumstances to protect against loss, access, use, modification, or disclosure that is not
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World New Zealand 759 | | | www.dlapiperdataprotection.com
authorised by the agency, and other misuse.
If it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything
reasonably within the power of the agency must be done to prevent unauthorised use or unauthorised disclosure of the
information.
BREACH NOTIFICATION
Under the Act, any ‘privacy breach’ which it is reasonable to believe has caused or is likely to cause serious harm to an individual
must be notified to the Privacy Commissioner and to the affected individuals.
A ‘privacy breach’ is any unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, personal
information, or any action that prevents the agency from accessing the information on either a temporary or permanent basis.
When assessing whether a privacy breach is likely to cause serious harm, agencies must consider:
any action taken by the agency to reduce the risk of harm following the breach
whether the personal information is sensitive in nature
the nature of the harm that may be caused to affected individuals
the person or body that has obtained or may obtain personal information as a result of the breach (if known)
whether the personal information is protected by a security measure, and
any other relevant matters
Agencies must notify the Privacy Commissioner and affected individuals as soon as practicable after becoming aware of a notifiable
privacy breach. If it is not reasonably practicable to notify an affected individual or each member of a group of affected individuals,
an agency can give a public notice of the breach.
Notification to affected individuals is not required or can be delayed in certain circumstances. For example, notification to affected
individuals can be delayed if the agency believes that a delay is necessary because notification or public notice may pose risks for
the security of personal information held by the agency and those risks outweigh the benefits of informing affected individuals (for
example, if notification of the breach would expose an unremedied security vulnerability).
Anyone who outsources services that involve data processing should be aware that the Act includes an express provision that
anything relating to a notifiable privacy breach that is known by an agent is to be treated as being known by the principal agency.
This is because the legislators consider that the principal agency should be responsible for informing individuals about a notifiable
breach.
ENFORCEMENT
In New Zealand, the Privacy Commissioner is responsible for investigating a breach of privacy laws. The Privacy Commissioner has
powers to enquire into any matter if the Privacy Commissioner believes that the privacy of an individual is being, or is likely to be,
infringed. The Privacy Commissioner will primarily seek to settle a complaint by conciliation and mediation. If a complaint cannot
be settled in this way, a formal investigation may be conducted so that the Privacy Commissioner may form an opinion on how the
law applies to the complaint. The Privacy Commissioner’s opinion is not legally binding but is highly persuasive.
If the Privacy Commissioner is of the opinion that there has been an interference with privacy, the Privacy Commissioner may
refer the matter to the Director of Human Rights who may then in turn decide to take the complaint to the Human Rights Review
Tribunal. The Tribunal will hear the complaint afresh and its decision is legally binding. It can award damages for breaches of
privacy.
The Privacy Commissioner can also issue compliance notices requiring agencies to take certain actions, or stop certain activities, in
order to comply with the Act. Compliance notices will describe the steps that the Privacy Commissioner considers are required
to remedy non-compliance with the Act and will specify a date by which the agency must make the necessary changes. The
Privacy Commissioner can also issue access directions requiring agencies to provide individuals access to their personal
information.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World New Zealand 760 | | | www.dlapiperdataprotection.com
It is an offence to:
mislead an agency to access another individual’s personal information
destroy personal information, knowing that a request has been made to access it
without reasonable excuse, obstruct, hinder, or resist the Privacy Commissioner or any other person in the exercise of
their powers under the Act
without reasonable excuse, refuse or fail to comply with any lawful requirement of the Privacy Commissioner or any
other person under the Act
give false or misleading statements to the Privacy Commissioner
represent directly or indirectly that a person holds any authority under the Act when they do not hold that authority, or
fail to notify the Privacy Commissioner of a notifiable privacy breach
The penalty for these offences is a fine of up to NZD 10,000.
ELECTRONIC MARKETING
The Act does not differentiate between the collection of and use of any personal information for electronic marketing or other
forms of direct marketing.
The Unsolicited Electronic Messages Act 2007:
prohibits unsolicited commercial electronic messages (this include email, fax, instant messaging and text messages of a
commercial nature – but do not cover Internet pop-ups or voice telemarketing) with a New Zealand link (messages sent
to, from or within New Zealand)
requires commercial electronic messages to include accurate information about who authorised the message to be sent
requires a functional unsubscribe facility to be included so that the recipient can instruct the sender not to send the
recipient further messages, and
prohibits using address-harvesting software to create address lists for sending unsolicited commercial electronic messages
The Marketing Association of New Zealand has a code of practice for direct marketing which governs compliance by members of
the principles of the code. The code establishes a ‘Do Not Call’ register to which anyone not wanting to receive any direct
marketing can register.
ONLINE PRIVACY
Other than compliance with the Act, no additional legislation deals with the collection of location and traffic data by public
electronic communications services providers and use of cookies (and similar technologies). The New Zealand Privacy
Commissioner has general guidelines on protecting online privacy.
KEY CONTACTS
DLA Piper New Zealand
www.dlapiper.co.nz/
Nick Valentine
Partner
T +64 9 916 3703
nick.valentine@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.comwww.dlapiper.co.nz/http://
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World New Zealand 761 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nicaragua 762 | | | www.dlapiperdataprotection.com
NICARAGUA
Last modified 20 December 2021
LAW
Ley No. 787 Ley de Protección de Datos Personales (Law No. 787 Personal Data Protection Law) effective since 29th of March 2012
published in the Official Gazzette No. 61 same day.
DEFINITIONS
Definition of Personal Data
Personal data: It is all the information about a natural or legal person that identifies or makes it identifiable.
Definition of Sensitive Personal Data
Sensitive personal data: It is any information that reveals the racial, ethnic, political affiliation, religious, philosophical or moral,
union, health or sexual life, criminal record or administrative, economic and financial misconduct; as well as credit and financial
information and any other information that could be grounds for discrimination.
NATIONAL DATA PROTECTION AUTHORITY
Personal Data Protection Directorate (it has not been formally incorporated).
REGISTRATION
Each organisation that collects personal data will have the obligation to register in the Data File Registry.
However, since the Personal Data Protection Directorate has not yet been incorporated, such a Register in practice does not yet
exist. Therefore, organisations are unable to materially comply with such registration.
DATA PROTECTION OFFICERS
Any officer responsible for the Data File of each organisation must register in the Data Files Registry that the Personal Data
Protection Directorate enables for this purpose.
We must reiterate that this obligation cannot be materially fulfil as the Personal Data Protection Directorate has not been
formally incorporated.
COLLECTION & PROCESSING
The law defines data processing as those systematic operations and procedures, automated or not, that allow the collection,
registration, recording, conservation, ordering, storage, modification, updating, evaluation, blocking, destruction, deletion, use and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nicaragua 763 | | | www.dlapiperdataprotection.com
cancellation, as well as the transfer of personal data resulting from communications, consultations, interconnections and transfers.
Personal data may only be processed, when they are adequate, proportional and necessary in relation to the scope and specific,
explicit and legitimate purposes for which they have been requested.
The purpose of processing the personal data of the user should be to facilitate the improvement, expansion, sale, billing,
management, provision of services and acquisition of goods.
TRANSFER
Personal data may be assigned and transferred when the purposes are directly related to the legitimate interest of the assignor and
the assignee and with the prior consent of the owner of the data, who must be informed about the purpose of the assignment and
identify the assignee.
The consent for the transfer is revocable, by written notification or by any other means that is equated, depending on the
circumstances, to the person responsible for the data file.
SECURITY
The necessary technical and organisational measures must be adopted to guarantee the integrity, confidentiality and security of
personal data, to avoid its adulteration, loss, consultation, treatment, disclosure, transfer or unauthorised disclosure, and that
allow detecting intentional deviations or not, of private information, whether the risks come from human action or the technical
means used.
BREACH NOTIFICATION
The legislation does not expressly contemplate the duty of notification of data breach.
Mandatory breach notification
The legislation only contemplates mandatory notification in the event of data breach in the case of Army and Police personnel, and
the relevant institutions must be informed immediately.
ENFORCEMENT
Due to the fact that the institution that supervises the application of the norm has not been formally incorporated (Personal Data
Protection Directorate), the enforcing of the provisions are not being duly exercised by the government.
ELECTRONIC MARKETING
The data files destined to the sending of advertising, promotions, offers and direct sale of products, goods and services or other
analogous activities can only incorporate personal data with the consent of the owner, or when the data appears in publicly
accessible sources.
The sending of advertising and promotions, through electronic means, must offer the possibility to the recipient of personal data
to express their refusal to continue receiving advertising and promotional content of goods and services or, where appropriate,
revoke their consent in a clear and free manner.
Companies or institutions that engage in electronic marketing, advertising and promotional content must be protected by means
of a contract that establishes that the personal data contained in a data file has been obtained with the unequivocal and informed
consent of the owners or that it has been obtained from publicly accessible sources.
ONLINE PRIVACY
The normative states that when the officer of the data file uses mechanisms in remote or local means of electronic, optical or
other technology communication (cookies), which allow to collect personal data automatically and simultaneously, while the data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nicaragua 764 | | | www.dlapiperdataprotection.com
owner makes contact with them. At that time, the owner must be informed about the use of these technologies, that personal
data is obtained through them and the way in which they can be disabled.
The location data is not regulated.
KEY CONTACTS
Central Law
central-law.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Álvaro Molina Vaca
Partner
Central Law
T +505 2278 6045
amolina@central-law.com
Avil Ramírez Mayorga
Associate
Central Law
T +505 2278 6045
aramirezm@central-law.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Niger 765 | | | www.dlapiperdataprotection.com
NIGER
Last modified 10 January 2022
LAW
The data protection regime in Gabon is governed by the following laws and regulations:
Law No. 2017-28 of 3 May 2017 on the Protection of Personal Data (‘the Law’);
Decree No. 2020-309/PRN/MJ of April 30, 2020 setting the terms of application of Law No. 2017-28 of May 3, 2017 on
the protection of personal data as amended and supplemented by Law No. 2019-71 of December 24, 2019;
Order No. 000045 of October 5, 2020 determining the profile and setting the conditions of remuneration of the personal
data protection correspondent;
Law No.2018-45 of July 12, 2018 on the regulation of electronic communications in Niger; and
Law on Cybercrime of 2019 (only available in French).
DEFINITIONS
Definition of Personal Data
Any information of any nature related to an identified or identifiable natural person, including sounds and images, directly or
indirectly referencing an identification number, or one or more elements specific to his physical, physiological, genetic,
psychological, cultural, social, or economic identity (Article 1 of the Law).
Definition of Sensitive Personal Data
Any personal data relating to religious or philosophical opinions or activities, political affiliation, sex life, race, health, social
measures, prosecutions, and criminal or administrative sanctions (Article 1 of the Law).
NATIONAL DATA PROTECTION AUTHORITY
High Authority for the Protection of Personal Data (‘ ‘). HAPDP
The HAPDP is composed of nine members chosen because of their legal and/or technical competence.
The HAPDP’s role is to ensure that any processing of personal data is in accordance with the Law. In addition, the HAPDP’s
responsibilities include informing data controllers and data subjects of their rights and obligations, handling complaints, conducting
audits, and sanctioning data controllers who are in breach of the Law.
REGISTRATION
The registration of processing activities via a “register of processing activities” does not exist in Niger.
The processing of personal data is subject to prior notification to the HAPDP. If a data controller appoints a data protection
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Niger 766 | | | www.dlapiperdataprotection.com
officer, notification is unnecessary unless personal data is being transferred across national borders. Additionally, Articles 40 and
41 of the Law provides that the data controller must create an annual report for the HAPDP regarding personal data which is
stored within the period, as fixed by the HAPDP, in relation to the purposes for which each type of processing activity was carried
out.
DATA PROTECTION OFFICERS
There is no provision in the law relating to the appointment of a data protection officer.
However, Article 12 of the Law pertains to the designation of the personal data protection correspondent, which is defined in
Article 1 as the person designated by the company carrying out the processing of personal data, to whom data subjects or
interested persons may address any queries.
Article 12 of the Law continues to state that the correspondent must possess the required qualifications to carry out their duties
and be able to make a list of processing activities immediately accessible for any person requesting the same. The correspondent is
exempt from any sanction on the part of the employer resulting from the carrying out of their duties.
Furthermore, the data controller’s designation of a correspondent must be notified to the HAPDP and, in the event of failures to
carry out their duties, may be discharged by request, or after consultation, from the HAPDP.
COLLECTION & PROCESSING
Any processing of personal data can only take place if the person concerned, the data subject, has expressed his consent in a free,
specific, informed, and unambiguous manner. The processing of personal data is considered legitimate if the data subject gives
his/her prior express consent.
The requirement of prior consent may be waived where the controller is duly authorised and the processing is necessary for:
the performance of a contract to which the data subject is party or in order to take pre-contractual measures at his
request;
complying with a legal obligation to which the controller is subject to;
protecting the interests or fundamental rights and freedoms of the data subject; and
the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
or in a third party to whom the data are disclosed.
The collection and processing of personal data must comply with the following principles:
The principles of lawfulness, fairness and transparency: Data must be processed fairly, lawfully, and transparently.
The lawfulness of the processing refers to its legal basis (legal obligation, contractual obligation, etc.). Fairness of
processing refers to the manner in which the data are collected. This principle refers to the individual’s right to
information. Data must not have been collected and must not be processed without the knowledge of the data subject.
This principle also requires providing data subjects with several pieces of information (on the processing of their data, but
also on their rights).
The principle of proportionality: Data must be adequate, relevant, and not excessive in relation to the purposes for
which they are collected and further processed. The data controller must not collect more data than it actually needs.
Thus, only data strictly necessary for the achievement of the specified purpose must be collected.
The principle of accuracy: The data must also be accurate and, where necessary, updated. Every reasonable step must
be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they are
collected and further processed, are erased or rectified.
The obligations of the Data controller include among other things:
data is collected and processed fairly and lawfully;
data is collected for specified, explicit and legitimate purposes and subsequently processed in a manner that is compatible
with such purposes;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Niger 767 | | | www.dlapiperdataprotection.com
data is adequate, relevant and not excessive in relation to the purposes for which it was collected;
collected data is accurate, complete;
collected data is retained in a form that allows the identification of the data subjects for a period that is no longer than
necessary for the purposes for which it was collected;
data subjects are informed of the data processing;
data subjects have given their consents to the data processing;
data subjects have the right to access the data and request amendments or deletions;
persons with access to the system can only access the data they are allowed to;
non-authorised persons cannot read, copy, modify, destroy, or move data;
all data introduced in the system is authorised;
non-authorised persons will not use data transmission facilities to enter into the data processing system;
the identities of third parties having access to personal data will be checked;
data is backed up with security copies; and
data is renewed and converted to preserve it.
Under the provisions of Article 5 of the Law, the processing of personal data is subject to a prior notification to the HAPDP. The
notification must include an undertaking that the processing meets the requirements of the Law.
However, for certain types of personal data processing, the prior authorisation of the HAPDP is required. This is particularly the
case for the processing of personal data relating to genetic, medical data, and scientific research.
By contrast, the Data subject is entitled to an number of rights of which some are listed below:
Right of information: Pursuant to Article 26 of the Law, the data controller must inform the data subject of:
the identity and, where applicable, that of its duly authorised representative;
the specific purposes of the processing for which the data is intended;
the categories of data concerned;
the recipient(s) to whom the data may be communicated;
the possibility of refusing to appear on the file;
the existence of a right of access to data concerning the person and a right to rectify this data; and
the possibility of any data transfer to a third party.
Right of access: Pursuant to Article 27 of the Law, the data subjects can obtain from the data controller the following:
information allowing to know and dispute the processing of personal data;
confirmation of whether his/her personal data forms part of the processing;
a copy of the data subject’s personal data, as well as any available information on the data’s origin; and
information relating to the purposes of the processing, the categories of personal data processed and the recipients or
categories of recipients to whom the data are communicated.
Right to rectification: Under the provisions of Article 29 of the law, any natural person who can prove his or her identity may
require the data controller to rectify, complete, update, block, or delete, as the case may be, any personal data concerning him or
her that is inaccurate, incomplete, ambiguous, out of date, or whose collection, use, communication, or storage is prohibited.
Right to erasure: Under the provisions of Article 31 of the Law, the data subject shall have the right to obtain from the
controller the erasure of personal data relating to him or her and the cessation of the dissemination of such data, in particular
with regard to personal data which the data subject made available when he/ she was a minor, or for one of the following reasons:
the data is no longer necessary for the purposes for which they were collected or processed;
the data subject has withdrawn the consent on which the processing is based or where the authorised retention period
has expired and there are no other legal grounds for processing the data;
the data subject objects to the processing of personal data relating to him or her where there is no legal ground for such
processing;
the data processing does not comply with the provisions of this Law; or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Niger 768 | | | www.dlapiperdataprotection.com
for any other legitimate reason.
Right to object: In light of Article 28 of the Law, any data subject has the right to:
oppose the processing of their personal data;
oppose the processing of their personal data for prospecting purposes; and
be informed before his/her personal data is communicated to third parties.
Interconnection of personal data shall:
not discriminate against or limit the fundamental rights, freedoms, and guarantees of data holders;
ensure the use of appropriate safety measures; and
take into account the principle of relevance (Article 25 of the Law).
TRANSFER
Transfer of personal data to another country is allowed only when that country provides a superior or equivalent level of
protection for privacy, freedoms and fundamental rights of individuals regarding the processing of personal data (Article 24 of the
Law).
SECURITY
The personal data Act is not prescriptive about specific technical standards or measures.
However, the Article 38 states that the data controller shall take all necessary measures in view of the nature of the data and the
architecture of the processing, in particular to prevent them from being distorted, damaged, lost, stolen or accessed by
unauthorized parties.
BREACH NOTIFICATION
No breach notification protocol is stipulated under Nigerien law.
ENFORCEMENT
As of 21 December 2021, we have not identified any notable enforcement decision issued by the High Authority for the
Protection of Personal Data (‘ ‘) pertaining to the Law.HAPDP
ELECTRONIC MARKETING
The personal data Act will apply to most electronic marketing activities, as these will involve some use of personal data (eg, an
email address which includes the recipient’s name).
The general rule for electronic marketing is that it requires the express consent of the recipient (see Article 58 of Law
No.2018-45 of July 12, 2018 on the regulation of electronic communications in Niger).
Even when a marketer has the consent of a data subject, that consent can be withdrawn by the data subject under Article 28 of
the Personal Data Act.
The data subject has the right to object at any time to the use of his/her personal data for such marketing.
This right to object must be explicitly brought to the attention of the data controller.
However, the data controller may not respond favorably to a request to exercise the right to object if it demonstrates the
existence of legitimate reasons justifying the processing, which override the interests, fundamental rights and freedoms of the data
subject.
ONLINE PRIVACY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Niger 769 | | | www.dlapiperdataprotection.com
The Law does not provide any specific rules for governing cookies and location data.
However, pursuant to Article 38 of the Law, data controller must implement all appropriate technical and organizational measures
to preserve the security and confidentiality of the data, including protecting the data against accidental or unlawful destruction,
accidental loss, alteration, distribution or access by unauthorized persons.
KEY CONTACTS
Geni & Kebe
www.dlapiperafrica.com/senegal
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dr. Sangare Mouhamoud
Associate
Geni & Kebe
T +2250779107541
m.sangare@gsklaw.sn
Dr. Francky Lukanda
Senior Associate
Geni & Kebe
T +2250584344660
f.lukanda@gsklaw.sn
https://www.dlapiperdataprotection.com
https://www.dlapiperafrica.com/senegal
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nigeria 770 | | | www.dlapiperdataprotection.com
NIGERIA
Last modified 12 December 2021
LAW
National Information Technology Development Agency (NITDA) issued the Nigeria Data Protection Regulation (NDPR) in 2019.It
is the principal regulation and framework for data protection in Nigeria.
The NITDA also issued an Implementation Framework in 2020 in respect of the NDPR and Guidelines for the Management of
Personal Data by Public Institutions in Nigeria to regulate personal data processing within public institutions.
Nigeria Data Protection Regulation
The NDPR is the first regulation of its kind governing the use of personal data in Nigeria. The personal and territorial scope of
the NDPR is defined by citizenship and physical presence. It applies to residents of Nigeria, as well as Nigerian citizens abroad. The
NDPR provides legal safeguards for the processing of personal data. Under the NDPR, personal data must be processed in
accordance with a specific, legitimate and lawful purpose consented to by the Data Subject.
Implementation Framework for the Nigeria Data Protection Regulation
The Framework builds on the NDPR to ensure a tailored implementation of the data protection regime in Nigeria. It serves as a
guide to data controllers and administrators/processors to understand the standards required for compliance within their
organisations. The Framework is to be read in conjunction with the NDPR and does not supersede the NDPR.
Guidelines for the Management of Personal Data by Public Institutions in Nigeria
In 2020, NITDA issued the Guidelines for the Management of Personal Data by Public Institutions in Nigeria (the Guidelines) to
regulate personal data processing within public institutions. The Guidelines apply to all public institutions (PIs) in Nigeria, including
Ministries, Departments, Agencies, Institutions, Public Corporations, publicly funded ventures, and incorporated entities with
government shareholding, either at the Federal, State or Local levels, that process the personal data of a data subject. The
Guidelines mandate all PIs to protect personal data in any incidence of processing of such data. Processing in this context retains
the same meaning it has under the NDPR. All forms of personal data of a Nigerian citizen, resident or non-Nigerian individual that
has interactions with PIs, or personal data PIs have access to in furtherance of a statutory or administrative purpose, are to be
protected in accordance with the NDPR or any other law or regulation in force in Nigeria.
Sectoral Laws
In addition to the principal legislation mentioned, the Constitution of the Federal Republic of Nigeria and various sector-specific
laws make different provisions for privacy and data protection matters. These laws are examined below.
The laws
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nigeria 771 | | | www.dlapiperdataprotection.com
Constitution of the Federal Republic of Nigeria 1999 (As Amended)
The Nigerian Constitution provides Nigerian citizens with a fundamental right to privacy. Section 37 of the Constitution
guarantees privacy protections to citizens in their homes, correspondence, telephone conversations and telegraphic
communications. The Constitution does not define the scope of “privacy” or contain detailed privacy provisions.
Child Rights Act 2003
The Child Rights Act 2003 reiterates the constitutional right to privacy as relates to children. Section 8 of the Act guarantees a
child’s right to privacy subject to parent or guardian rights to exercise supervision and control of their child’s conduct. Some
Nigerian states have also enacted Child Rights Laws.
Consumer Code of Practice Regulations 2007 (NCC Regulations)
The Nigerian Communications Commission (NCC) issued the NCC Regulations which requires all licensees to take reasonable
steps to protect customer information against improper or accidental disclosure, and ensure that such information is securely
stored and not kept longer than necessary. The NCC Regulations further prohibit the transfer of customer information to any
party except to the extent agreed with the customer, as permitted or required by the NCC or other applicable laws or
regulations.
Consumer Protection Framework 2016 (Framework)
The Consumer Protection Framework 2016 was enacted pursuant to the Central Bank of Nigeria Act 2007. The Framework
includes provisions that prohibit financial institutions from disclosing customers personal information. The Framework further
requires that financial institutions have appropriate data protection measures and staff training programs in place to prevent
unauthorized access, alteration, disclosure, accidental loss or destruction of customer data. Financial services providers must
obtain written consent from consumers before personal data is shared with a third party or used for promotional offers.
Credit Reporting Act 2017
The Credit Reporting Act establishes a legal and regulatory framework for credit reporting by Credit Bureaus. Section 5 of the
Credit Reporting Act requires Credit Bureaus to maintain credit information for at least 6 years from the date that such
information is obtained, after which the information must be archived for a 10-year period prior to its destruction. Section 9 of
the Credit Reporting Act provides the rights of data subjects (i.e. persons whose credit data are held by a Credit Bureau) to
privacy, confidentiality and protection of their credit information. Section 9 further prescribes conditions under which the credit
information of the data subject may be disclosed.
Cybercrimes (Prohibition, Prevention Etc) Act 2015
The Cybercrimes (Prohibition, Prevention Etc) Act provides a legal and regulatory framework that prohibits, prevents, detects,
prosecutes and punishes cybercrimes in Nigeria. The Act requires financial institutions to retain and protect data and criminalizes
the interception of electronic communications.
Freedom of Information Act, 2011 (FOI Act)
The FOI Act seeks to protect personal privacy. Section 14 of the FOI Act provides that a public institution is obliged to deny an
application for information that contains personal information unless the individual involved consents to the disclosure, or where
such information is publicly available. Section 16 of the FOI Act provides that a public institution may deny an application for
disclosure of information that is subject to various forms of professional privilege conferred by law (such as lawyer-client privilege,
health workers-client privilege, etc.).
National Identity Management Commission (NIMC) Act 2007
The NIMC Act creates the National Identity Management Commission (NIMC) to establish and manage a National Identity
Management System (NIMS). The NIMC is responsible for enrolling citizens and legal residents, creating and operating a National
Identity Database and issuing Unique National Identification Numbers to qualified citizens and legal residents. Section 26 of the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nigeria 772 | | | www.dlapiperdataprotection.com
NIMC Act provides that no person or corporate body shall have access to data or information in the Database with respect to a
registered individual without authorization from the NIMC. The NIMC is empowered to provide a third party with information
recorded in an individual’s Database entry without the individual’s consent, provided it is in the interest of National Security.
National Health Act 2014 (NHA)
The NH Act provides rights and obligations for health users and healthcare personnel. Under the NH Act, health establishments
are required to maintain health records for every user of health services and maintain the confidentiality of such records. The NH
Act further imposes restrictions on the disclosure of user information, and requires persons in charge of health establishments to
set up control measures for preventing unauthorized access to information. The NH Act applies to all information relating to
patient health status, treatment, admittance into a health establishment, and further applies to DNA samples collected by a health
establishment.
Nigerian Communications Commission (registration of telephone subscribers) Regulation 2011
Section 9 and 10 of the Nigerian Communications Commission Regulation provides confidentiality for telephone
subscriber records maintained in the NCC’s central database. The Regulation further provides telephone subscribers with a right
to view and update personal information held in the NCC’s central database of a telecommunication company in camera.
The Data Protection Bills
Data protection/privacy is not listed as an item under any of the exclusive, concurrent or residual legislative lists provided in the
Nigerian Constitution (as amended). The implication of this is that both Federal and State legislature can legislate on data
protection within the country. Pursuant to this, a Federal Data Protection Bill was issued in 2019. The main objective of the Bill is
to provide a structure for the protection of personal data and to regulate the processing of information relating to all individuals,
irrespective of their nationality. It also seeks to protect the fundamental rights to privacy and freedoms as enshrined in the
constitution. However, the status of this Bill is currently unknown as the Federal Ministry of Communications and Digital Economy
recently published a request for expression of interest inviting interested law firms and data protection practitioners to submit
proposals in respect of drafting a comprehensive data protection law for the Country.
In addition to the above, one state that has considered issuing its own data protection legislation is Lagos State. A data protection
bill has been issued by the State House of Assembly and the primary objective of the bill is to promote the protection of personal
information processed by public and private bodies in Lagos State and establish minimum requirements for the processing and
protection of personal information within the state. The Lagos State Bill has passed second reading and is currently at the House
Committee stage. There have been deliberations on the provisions of the bill and stakeholders have proposed changes to its
provisions. The eventual state, shape and form of the different laws, if passed remains to be seen.
DEFINITIONS
Definition of personal data
Personal Data is defined as any information relating to an identified or identifiable natural person. An identifiable natural person
is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, identification number,
location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person. Personal data is a broad term, encompassing anything from a name, address, photo, email
address, bank details, social networking website posts, medical information, and other unique identifier such as, but not limited to,
MAC address, IP address, IMEI number, IMSI number, SIM and others.
Definition of sensitive personal data
Sensitive Personal Data means data relating to religious or other beliefs, sexual tendencies, health, race, ethnicity, political
views, trades union membership, criminal records or any other sensitive personal information.
Definition of data subject
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nigeria 773 | | | www.dlapiperdataprotection.com
Data Subject means an identifiable natural person. An identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological,
mental, economic, cultural, or social identity.
Definition of data controller
Data Controller means a person who either alone, jointly or in common with other persons, or as a statutory body, determines
the purposes for and manner in which Personal Data is processed or is to be processed.
Definition of personal data breach
Personal Data means a breach of security leading to the accidental or unlawful destruction, loss, alteration,Breach
unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Definition of processing
Processing means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not
by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction,
erasure or destruction.
NATIONAL DATA PROTECTION AUTHORITY
The National Information Technology Development Agency (NITDA) is currently the main regulator where data protection is
concerned in Nigeria. However, sector specific regulatory agencies including Nigerian Communications Commission and the
Central Bank of Nigeria provide services relating to the protection of data.
REGISTRATION
There is no requirement to register databases.
DATA PROTECTION OFFICERS
The NDPR requires Data Controllers to designate a Data Protection Officer responsible for ensuring compliance with the NDPR
and other applicable data protection directives. The data controller may outsource this responsibility to a verifiably competent
firm or person.
COLLECTION & PROCESSING
COLLECTION
Personal Data must be collected and processed in accordance with a specific, legitimate and lawful purpose consented to by the
Data Subject.
Prior to Personal Data collection, Controllers must provide Data Subjects with relevant information, including the identity
and contact details of the Controller, contact details of its Data Protection Officer and the intended purpose and legal
basis for Personal Data processing.
The legitimate interests pursued by the Controller or third party must be stated.
The recipients or categories of recipients of the Personal Data, if any.
Where applicable, the fact that the Controller intends to transfer Personal Data to a third country or
international organization, and the existence or absence of an adequacy decision by the Agency, the period for
which the Personal Data will be stored, or if that is not possible, the criteria used to determine that period.
Data subjects must be provided with notice of their right to (a) request access to and rectification of Personal Data
maintained by the Controller, (b) withdraw consent for further processing by the Controller at any time, and (c) lodge a
complaint with the relevant authority.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nigeria 774 | | | www.dlapiperdataprotection.com
Where the Controller intends to process Personal Data for a purpose other than for which it was collected, the
controller must provide Data Subjects with any relevant information on the additional purpose prior to further
processing.
PROCESSING
Personal Data Processing is lawful if at least one of the following applies:
The data subject has given consent to the processing of his or her Personal Data for one or more specific purposes.
Processing is necessary for the performance of a contract to which the Data Subject is party or in order to take steps at
the request of the Data Subject prior to entering into a contract.
Processing is necessary for compliance with a legal obligation to which the Controller is subject.
Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official public
mandate vested in the controller.
Data processing by a third party shall be governed by a written contract between the third party and the Data Controller.
Accordingly, any person engaging a third party to process the data obtained from Data Subjects shall ensure compliance
with the NDPR.
TRANSFER
The NDPR includes provisions on Personal Data transfers to foreign countries and international organizations, provided such
transfers are intended for processing purposes. The Honorable Attorney General of the Federation (HAGF) is responsible for
supervising such Personal Data transfers.
Personal Data transfers are permitted where NITDA determines that a foreign country, territory or specific sector(s) within a
foreign country or international organization provide adequate levels of Personal Data protection. The determination is based on
the HAGF’s consideration of the foreign country’s legal system, rule of law, respect for human rights and fundamental freedoms, as
well as relevant general and sector-specific legislation in public security, defense, national security and criminal law.
Personal Data transfers may take place without NITDA or HAGF authorization if:
Data Subject expressly consents to the proposed transfer after being informed of associated risks in the absence of an
adequacy determination, the lack of appropriate safeguards, and that there are no alternatives.
Transfer is necessary for the performance of a contract between the Data Subject and the Controller or the
implementation of pre-contractual measures taken at the Data Subject’s request.
Transfer is necessary for the performance of a contract in the interests of the Data Subject between the Controller and
another natural or legal person.
Transfer is necessary for important reasons of public interest.
Transfer is necessary for the establishment, exercise or defense of legal claims.
Transfer is necessary to protect the vital interests of the Data Subject or of other persons, where the data subject is
physically or legally incapable of giving consent.
Where Personal Data is transferred to a foreign country or to an international organization, the Data Subject shall have the right
to be informed of the appropriate safeguards for data protection in the foreign country.
SECURITY
Anyone involved in data processing or the control of data has the responsibility to develop security measures to protect data.
Such measures include but are not limited to protecting systems from hackers, setting up firewalls, storing data securely with
access to specific authorized individuals, employing data encryption technologies, developing organizational policies for handling
Personal Data (and other sensitive or confidential data), protection of emailing systems and continuous capacity building for staff.
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nigeria 775 | | | www.dlapiperdataprotection.com
There is no requirement to report data security breaches or losses to the authorities or to data subjects under the NDPR.
However, the Framework mandates Data Controllers to notify NITDA of Personal Data breaches within 72 (seventy-two) hours
of becoming aware of the breach. Under the Framework, a Data Controller is also required to immediately notify a Data Subject
of a Personal Data breach where the breach will likely result in high risks to the freedoms and rights of the data subject.
ENFORCEMENT
NITDA is empowered to register and license Data Protection Compliance Organizations (DPCOs). On behalf of NITDA, DPCOs
monitor, audit, conduct training and data protection compliance consulting to all Data Controllers as defined in the NDPR.
Since the issuance of the NDPR, NITDA has been handed supervisory and enforcement responsibilities in respect of data
protection matters in Nigeria. It collaborates with security agencies such as the office of the Inspector General of Police to ensure
full compliance and enforcement. Where NITDA has determined that a party is in breach of the NDPR, especially where such
breach affects national security, sovereignty and cohesion, it may seek to prosecute officers of the organization as provided for in
section 17(1) and (3) of the NITDA Act 2007. To do this, NITDA must seek a fiat of the Attorney General of the Federation or
may file a petition with any authority in Nigeria. This may include: The Economic and Financial Crimes Commission, Department
of State Security, Nigerian Police Force, Independent Corrupt Practices (and other related offences) Commission or the Office of
National Security Adviser. NITDA has also set up an administrative redress panel to (a) investigate allegations of any breach of the
provisions of the Regulation (b) invite any party to respond to allegations made against it within seven days (c) issue administrative
orders to protect the subject matter of the allegation pending the outcome of investigation and conclude investigations and
determine of appropriate redress within 28 working days. A breach of the NDPR is construed as a breach of the NITDA Act
2007. Any organization/entity that contravenes any of the provisions of the NDPR would be in breach and be liable to such fines,
sanctions or penalties as may be determined by the Commission from time to time.
Organizations that are in breach of the NDPR requirements can face penalties that vary in amount depending on the number of
data subjects affected, as follows:
if the data breach impacted more than 10,000 data subjects, the organization can be fined up to 2% of its annual revenue
or 10 million Naira, whichever is greater;
if the data breach impacted less than 10,000 data subjects, the organization can be fined up to 1% of its annual revenue or
2 million Naira, whichever is greater.
ELECTRONIC MARKETING
The NCC Regulations provide that no licensee shall engage in unsolicited telemarketing unless it discloses:
At the beginning of the communication, the identity of the licensee or other person on whose behalf it is made and the
precise purpose of the communication
During the communication, the full price of any product or service that is the subject of the communication
That the person receiving the communication shall have an absolute right to cancel the agreement for purchase, lease or
other supply of any product or service within seven (7) days of the communication, by calling a specific telephone number
(without any charge, and that the Licensee shall specifically identify during the communication) unless the product or
service has by that time been supplied to and used by the person receiving the communication
Licensees are required to conduct telemarketing in accordance with any “call” or “do not call’ preferences recorded by the
consumer, at the time of entering into a contract for services or after, and in accordance with any other rules or guidelines issued
by the Commission or any other competent authority.
Internet Service Providers (ISP)
The NCC Legal Guidelines for Internet Service Providers (ISP) provides that Commercial Communications ISPs must take
reasonable steps to promote compliance with the following requirements for commercial email or other commercial
communications transmitted using the ISP’s services:
The communication must be clearly identified as a commercial communication.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nigeria 776 | | | www.dlapiperdataprotection.com
The person or entity on whose behalf the communication is being sent must be clearly identified.
The conditions to be fulfilled in order to qualify for any promotional offers, including discounts, rebates or gifts, must be
clearly stated.
Promotional contests or games must be identified as such, and the rules and conditions to participate must be clearly
stated.
Persons transmitting unsolicited commercial communications must take account of any written requests from recipients
to be removed from mailing lists, including by means of public “opt-out registers” in which people who wish to avoid
unsolicited commercial communications are identified.
Advertising
The Nigerian Code of Advertising Practice Sales Promotion and other rights and restrictions on practice provide that all
advertisements and marketing communications directed at the Nigerian market using the Internet or other electronic media must
comply with the following requirements:
The commercial nature of such communications must not be concealed or misleading, it should be made clear in the
subject header.
Terms of the offer should be clear and devices should not be used to conceal or obscure any material factors, such as
price or other sales conditions likely to influence customer decisions.
The procedure for concluding a contract should be clear.
Due recognition must be given to the standards of acceptable commercial behavior held by public groups before posting
marketing communications to such groups using electronic media.
Unsolicited messages should not be sent except where there are reasonable grounds to believe that consumers who
receive such communications are interested in the subject matter or offer.
All marketing communications sent via electronic media should include a clear and transparent mechanism enabling
consumers to expressly opt-out from future solicitations.
Care should be taken to ensure that neither the marketing communication, or applications used to enable consumers to
open marketing or advertising messages, interfere with consumers normal use of electronic media.
Customer information must not be transferred to any party except to the extent agreed with the Customer, as permitted
or required by the NCC or other applicable laws or regulations.
ONLINE PRIVACY
The Constitutional right to privacy applies to electronic media, including mobile devices and the Internet. Violations of these rights
may be subject to civil enforcement.
The NDPR requires all mediums through which Personal Data is collected or processed to display a simple and conspicuous
privacy policy, easily understood by the targeted Data Subject class. The privacy policy must contain the following, in addition to
any other relevant information:
What constitutes Data Subject consent
Description of Personal Data to be collected
Purpose of Personal Data collection
Technical methods used to collect and store personal information (i.e. cookies, web tokens, etc.)
Access (if any) of third parties to Personal Data and purpose of access
An overview of data processing principles under the NDPR
Available remedies for privacy policy violations
Timeframes associated with available remedies
Any limitation clause, provided that no limitation clause shall avail any Data Controller who acts in breach of the principles
of lawful processing set out in the NDPR.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Nigeria 777 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Olajide Oyewole LLP
www.olajideoyewole.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Sandra Oyewole
Partner
Olajide Oyewole LLP
T +234 1 279 3674
soyewole@olajideoyewole.com
Adewumi Salami
Associate
Olajide Oyewole LLP
T +234 1 279 3674
asalami@olajideoyewole.com
https://www.dlapiperdataprotection.com
http://www.olajideoyewole.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World North Macedonia 778 | | | www.dlapiperdataprotection.com
NORTH MACEDONIA
Last modified 15 January 2022
LAW
The Republic of North Macedonia regulates personal data protection issues with the Law on Personal Data Protection (Official
Gazette of the Republic of North Macedonia, no. 42/20, “ ”), effective 24 February 2020. Data controllers and dataDP Law
processors had an 18-month period from the DP Law’s entry into force (i.e. until 24 August 2021) to harmonize their operations
with the DP Law. This period has been informally prolonged for additional six months, during which time the data protection
authority will assist companies in the implementation of the new rules through education and corrective measures, as opposed to
directly issuing fines for non-compliance.
The DP Law is largely harmonized with the General Data Protection Regulation (GDPR) of the European Union (EU).
DEFINITIONS
Definition of personal data
The DP Law defines personal data as any information relating to an identified or identifiable natural person, where an identifiable
natural person is one whose identity can be determined directly or indirectly, especially by reference to an identifier such as a
name and surname, his or her personal identification number, location data, an online identifier or on one or a combination of
features that are specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity of that natural
person.
Definition of sensitive personal data
Under the DP Law, sensitive personal data is personal data which reveal:
racial or ethnic origin;
political opinions, religious or philosophical beliefs;
membership in a trade union;
genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data
referring to a natural person’s sex life or sexual orientation.
NATIONAL DATA PROTECTION AUTHORITY
The Personal Data Protection Agency ( ) was established in 2005 with the Law on Protection of Personal Data dated 2005“DPA”
(then called the Directorate for Personal Data Protection of the Republic of Macedonia, while with the adoption of the DP Law it
became an agency) as North Macedonia’s data protection authority. The DPA is an independent state agency with competence to
oversee the implementation of the DP Law, with its registered seat located at:Bulevar Goce Delcev 8
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World North Macedonia 779 | | | www.dlapiperdataprotection.com
Boulevard Goce Delcev 18
Skopje
www.dzlp.mk
REGISTRATION
The DPA keeps records of all data controllers and data protection officers and publishes them on its website.
Under the Law on Protection of Personal Data dated 2005, data controllers/processors had an obligation to register their
databases containing personal data in the Central Registry of Personal Databases ( ) maintained by the DPA. With the“Registry”
adoption of the DP Law, this Registry changes in a way that it continues to exist, i.e. continues to be maintained by the DPA, but
as a registry of databases involving a high risk ( ), whereas controllers/processors should notify the DPA“High-Risk Records”
about their respective high risk databases. It is also envisaged that the provisions of the DP Law governing the High-Risk Records
shall cease to apply upon accession of the Republic of North Macedonia to the EU.
The DPA requires entities to report subsequent changes to registration details within 30 days of a change.
As a novelty, the DP Law obliges data controllers/processors and their representatives to maintain records of processing activities
with an explicitly prescribed content. However, this obligation is not an obligation generally applicable to all data controllers and
data processors. It applies only if data controllers/processors have at least 50 employees or, regardless of their employees’
number, if the processing is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or
the processing includes special categories of personal data or personal data relating to criminal convictions and offences.
DATA PROTECTION OFFICERS
Under the DP Law, data controllers and data processors are obliged to appoint a DPO in certain cases, i.e. when:
processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
core activities of the data controller/processor consist of processing operations which, by virtue of their nature, their
scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
core activities of the data controller/processor consist of processing on a large scale of special categories of personal data
and personal data relating to criminal convictions and offences.
Data protection officers must:
inform and advise the data controller or data processor and employees who process data about their duties in accordance
with the DP Law;
monitor compliance with the DP Law, with other national laws and with the policies of the controller/processor;
increase awareness of data protection practices;
provide advice on Data Protection Impact Assessment;
collaborate with the DPA;
act as a contact for the DPA regarding the adequate collection and processing of personal data and perform other
prescribed tasks.
COLLECTION & PROCESSING
The DP Law operates on the basis of the principles of lawfulness, fairness and transparency, purpose limitation, data minimization,
accuracy, storage limitation, integrity and confidentiality and accountability.
https://www.dlapiperdataprotection.com
https://www.dzlp.mk/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World North Macedonia 780 | | | www.dlapiperdataprotection.com
The requirement of carrying out the data processing lawfully means that, amongst other, it should be based upon adequate legal
ground. Such legal ground is either a data subject’s consent (relating to specified, explicit and legitimate purpose/-s) or one of the
remaining grounds explicitly prescribed by the DP Law which include:
necessity of a particular processing for the performance of a contract to which a data subject is party or in order to take
steps at the request of the data subject prior to entering into a contract;
necessity for compliance with a legal obligation to which the data controller is subject;
necessity for the protection of the vital interests of the data subject or of another natural person;
necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in
the data controller, and
necessity for realization of the legitimate interests pursued by the controller or by a third party, except where such
interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection
of personal data.
The processing of special categories of personal data is prohibited, unless an exception prescribed with the DP Law applies.
Data subjects are entitled to a range of rights under the DP Law, including right of access, right to rectify, right to erasure (‘right
to be forgotten’), right to restriction of processing, right to data portability, right to object, right not to be subject to automated
decision making, including profiling.
TRANSFER
Entities may transfer personal data which are subject to processing if the conditions set out in the DP Law are fulfilled and applied.
When transferring personal data to the EU or the European Economic Area (EEA), entities must notify the DPA at least 15 days
before the transfer.
Transferring personal data to third countries or international organizations may be conducted only if the DPA deems that the
third country or international organization provides adequate levels of protection. When assessing whether the third country or
international organization has an adequate level of protection, the DPA considers several parameters, including, among others:
the rule of law, respect for human rights and fundamental freedoms, relevant legislation and its implementation,
professional rules and security measures (including rules for onward transfer), as well as effective and enforceable
judgements applied to data subject and effective and administrative and judicial redress for data subjects whose personal
data is transferred;
the existence and effective functioning of one or more independent supervisory authorities in the third country or
international organization;
the international commitments the third country or international organization has entered into, or other obligations
arising from legally binding conventions or instruments, in relation to the protection of personal data.
If the above criteria are met by the third country or international organization where the personal data will be transferred, the
data transfer can be conducted on the basis of an adequacy decision adopted by the DPA.
The DPA has not yet adopted an adequacy decision. However, the DPA follows the practice of the European Union when it
comes to implementing the data protection regulations, and it is expected that any such adequacy decision will be in line with an
adequacy decision adopted by the European Commission.
The DP Law itself does not require a special/individual prior approval by the DPA (“ ”) if an adequacy decisionTransfer Approval
issued by the DPA for the (importing) third country or international organization exists or the below safeguards are provided (on
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World North Macedonia 781 | | | www.dlapiperdataprotection.com
condition that enforceable data subject rights and effective legal remedies for data subjects are available). However, up until this
point in time, the DPA has had a conservative approach and has insisted that even in such cases a Transfer Approval has to be
obtained.
When an adequacy decision has not been adopted, personal data can be transferred to a third country or international
organization only if the data controller or data processor apply appropriate safeguards, and on the condition that enforceable data
subject rights and effective legal remedies for data subjects are available.
The appropriate safeguards may be provided by:
a legally binding and enforceable instrument between public authorities or bodies;
binding corporate rules in accordance with the DP Law;
standard data protection clauses determined by the DPA or approved by the European Commission;
an approved code of conduct or approved certification mechanism pursuant to the DP Law together with binding and
enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards,
including as regards the data subjects’ rights.
Additionally, the DPA could approve the following appropriate safeguards:
contractual clauses between the data controller and the data processor, as well as the data controller, the data processor
or the recipient of the personal data in the third country or international organization; or
provisions envisaged in administrative agreements between public authorities or bodies which contain applicable and
effective data subject rights.
The DP Law also provides a list of derogations for specific situations, based on which a legitimate data transfer out of the Republic
of North Macedonia is not conditioned upon a Transfer Approval (e.g., data subject’s consent, enforcement of a contract between
a data subject and a data controller, etc.).
Unofficially, starting from 2022, the DPA will require the submission of a performed transfer impact assessment with each request
for Transfer Approval when transferring personal data to third countries and international organizations.
SECURITY
The DP Law requires data controllers and data processors to implement appropriate technical and organizational measures to
protect personal data from accidental or illegal destruction, loss, alteration, unauthorized disclosure of personal data or
unauthorized access to transferred, stored or otherwise processed personal data. These risks are particularly taken into
consideration in order to assess the appropriate level of safety.
The technical and organizational measures include, as appropriate:inter alia,
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing.
The data controller and the data processor must always implement the technical and organizational measures relevant to the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World North Macedonia 782 | | | www.dlapiperdataprotection.com
1.
2.
period in which they are designed and implemented, in accordance with the state-of-the-art technology.
The data controller and the data processor are obliged to apply appropriate levels of technical and organizational measures
proportional to the processing activities, while taking into consideration the nature, scope, context and purposes of the
processing, as well as the risks with different probability and seriousness for the rights and freedoms of natural persons.
The technical and organizational measures can be classified in two levels:
Standard; and
High.
The process for managing the system for personal data protection is described in the internally adopted Policy on the System for
Personal Data Protection, which should be regularly updated and harmonized in line with any changes in the data controller’s
working process.
BREACH NOTIFICATION
Under the DP Law, data controllers are obliged to immediately (and not longer than 72 hours after discovering the data breach)
inform the DPA, unless it is likely that the data breach may not pose a risk to the rights and freedoms of natural persons. Data
processors are obliged to notify the data controller immediately after discovering the breach.
The notification is submitted on a special form prescribed by the DPA. The information may be gradually submitted without undue
delays, only if there was no possibility to submit all of the information at the same time.
If the data breach is deemed to pose a high risk to the rights and freedoms of the natural persons, the data controller must
immediately notify the data subject that their personal data has been breached. However, the data controller may not notify the
data subject if:
appropriate technical and organizational measures have been implemented which ensure that the personal data would be
unrecognizable to unauthorized persons (e.g. encryption);
the data controller has implemented additional measures which ensure that there is no longer a high risk to the rights and
freedoms of the data subjects; or
if such notification requires disproportionate effort, in which case a public notification or a similar measure is
implemented.
ENFORCEMENT
The DPA has supervisory authority over the protection of personal data, as a systemic and independent control over the legality
of the undertaken actions during personal data processing. This supervision entails the inspection, assessment, giving direction and
imposing measures to data controllers and processors, through supervisors with the DPA.
The supervision may be:
regular (announced supervision, conducted in line with the DPA’s annual supervision program);
extraordinary (unannounced supervision, conducted upon a request, initiative, ex officio or in cases where the supervisors
suspect that a breach of the DP Law has occurred); and
control (conducted within six months after the expiration of the deadline for rectifying violations).
The supervisors enforce DP Law violations by ordering data controllers or processors to remedy violations within a specified time
period, or by requesting the initiation of a misdemeanor procedure before the Misdemeanor Commission, taking the seriousness
of the offense into consideration. Legal entity fines range from up to 2% and up to 4% of the total annual turnover from the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World North Macedonia 783 | | | www.dlapiperdataprotection.com
previous financial year, with smaller fines of several hundred euros for the responsible persons at the infringer and the data
controllers and processors who are natural persons. Additionally, there is a fine in the range between EUR 1,000 to EUR 10,000
for data controllers which are legal entities who do not adhere to the video surveillance requirements. Entities may dispute DPA
fines by initiating proceedings before the Administrative Court of the Republic of North Macedonia.
Individuals are also entitled to bring private claims against controllers and/or processors and request compensation of material or
non-material damages suffered due to a breach of the DP Law. Individuals also have the right to lodge a complaint to the DPA and
right to an effective judicial remedy against a decision (or lack of) of the DPA concerning them.
The Criminal Code of North Macedonia includes a criminal offense for misuse of personal data punishable by a monetary fine or
imprisonment of up to one year, as determined by the court.
ELECTRONIC MARKETING
Under the DP Law, personal data may be processed for electronic (direct) marketing purposes including profiling to the extent
connected to the direct marketing only with the data subject’s explicit consent to such processing. The data subject has the right
to withdraw his or her consent at any time.
The data subject is entitled to exercise his or her right to object at any time to processing of his or her personal data for such
marketing. In situations where the data subject objects to the processing, the personal data shall no longer be processed for such
purposes.
ONLINE PRIVACY
The DP Law and the Rulebook on the Security of Personal Data Processing (Official Gazette of the Republic of North Macedonia
no. 122/20, ) apply to online privacy as well.“Security Rulebook”
In line with the Security Rulebook, when using cookies which are not necessary from the service, the data controller should obtain
previous consent from the internet user before the cookie is deposited. Data subjects should be informed about the use of
cookies and their type, duration, provider, purpose, with which third parties the data is shared, as well as the manner in which
cookies can be rejected.
Please note that data controllers and data processors should undertake technical and organizational measures for security of the
personal data processing to guarantee the correct identity of the website, as well as the confidentiality of the sent and received
information, as prescribed with the Security Rulebook. For example, this would include mandatory use of cryptographic protocol
(TLS) for all pages of the website, adoption of a policy for the personal data protection system, etc.
KEY CONTACTS
Ljupka Noveska Andonova
Senior Associate
Karanovic & Partners
T +389 2 3223 870
ljupka.noveska@karanovicpartners.com
Veton Qoku
Partner
Karanovic & Partners
T +389 2 3223 870
veton.qoku@karanovicpartners.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World North Macedonia 784 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 785 | | | www.dlapiperdataprotection.com
1.
2.
a.
NORWAY
Last modified 17 January 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) (” “) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The GDPR was incorporated in the EEA Agreement by a Joint Committee Decision dated July 6, 2018. The new
Norwegian Personal Data Act (LOV-2018-06-15-38) (” “) implements GDPR and became effective as of July 20, 2018.PDA
In addition to implementing GDPR, the PDA includes specific regulations as described below. In connection with the
implementation of GDPR, several sector-specific regulations, e.g, in the healthcare sector, has been updated to ensure
compliance with GDPR.
The PDA has a similar geographical scope as GDPR article 3 in that it applies to:
data controllers and processors established in Norway regardless of whether the processing activities takes place
Norway / EEA or not; and
processing activities by a data controller or data processor which is not established in the EEA to the extent the
processing activity relates to:
offering of goods and services to data subjects in Norway, irrespective of whether a payment of the data
subject is required; or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 786 | | | www.dlapiperdataprotection.com
2.
a.
b. the monitoring of their behavior, to the extent that such behavior takes place within Norway.
The PDA applies to processing of personal data by controller who is not established in Norway, but in a place governed
by Norwegian law according to public international law.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The Norwegian Data Protection Authority is:
Datatilsynet
www.datatilsynet.no
https://www.dlapiperdataprotection.com
http://www.datatilsynet.no/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 787 | | | www.dlapiperdataprotection.com
Together with other EEA countries (Iceland and Lichtenstein) the Norwegian Data Protection Authority became members
of the EDBP however without voting rights and without the right to be elected as chair and vice-chair, for GDPR-related
matters.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
The government may issue further regulations as regards the duty to appoint a DPO. No such regulations have been
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 788 | | | www.dlapiperdataprotection.com
issued yet.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up-to-date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 789 | | | www.dlapiperdataprotection.com
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their
legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to ‘re-purpose’ personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymization.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 790 | | | www.dlapiperdataprotection.com
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).
Right to object (Article 21)
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 791 | | | www.dlapiperdataprotection.com
a.
b.
c.
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorized by EU or Member State law; or
the data subject has given their explicit ( opt-in) consent.ie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Scope
The PDA and GDPR does not apply to processing activities by physical persons for purely private or family purposes or
for processing activities within the justice administration sector. For processing activities for journalistic purposes or
academic, artistic or literary expressions, only GDPR articles 24, 26, 28, 29, 32 and 40-43 applies, as well as PDA chapter
6 on supervision and complaints and chapter 7 on sanctions and coercive fines.
Age limit to consent to information society services
According to the PDA section 5, the age limit to consent to information society services is 13 years.
Processing of special categories of personal data
Processing of special categories of personal data is allowed when necessary to perform rights or obligations within the
field of employment law.
The Norwegian Data Protection Authority may authorize the processing of sensitive personal data where the processing
is in the public interest.
The Norwegian Data Protection Authority can also issue specific regulations allowing for the processing of special
categories of data.
Processing of information relating to criminal offences
According to the PDA, the processing of information about criminal offences is subject to the regulations as GDPR article
9(2)(a), (c) and (f) as well as the PDA sections 6, 7 and 9, i.e. the same provisions as the processing of special categories of
personal data.
Use of personal ID numbers
Personal ID numbers unique identifiers may only be processed where there are reasonable grounds to require proper
identification and the use of personal ID numbers is necessary for such identification.
Specific rules on consent
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 792 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
a.
b.
The PDA contains provisions relating to processing of special categories of personal data for e.g., scientific purposes
without the consent of the data subject provided that the processing is covered by necessary warranties in accordance
with the GDPR Article 89(1). There is no specific general regulation as regards safeguards according to GDPR Article 89,
paragraph 1.
Before processing special categories of data, the data controller should consult and seek advice from the Data Protection
Officer (” “) in accordance with GDPR Article 37.DPO
The above-mentioned advice from the DPO must consider whether the processing will meet the requirements of GDPR
and other provisions laid down in the Norwegian Implementation Act. The consultation obligation with the DPO does not
apply if an assessment has been made of privacy implications according to GDPR Article 35.
The duty to consult with a DPO also applies to the extent that processing of special categories of data for statistics of
scientific purposes is based on consent.
Exemption to data subject rights to access and information
The PDA contains some exemption to the right to access and information according to GDPR Article 13-15 to if the
information:
is of relevance for Norwegian foreign policy or national security;
must be kept secret in order to prevent, investigate, disclose and prosecute criminal acts;
that is considered that inadvisable that the data subject obtains due to the health situation of the relevant person
or the relationship to close relationships of such persons;
subject to duty of confidentiality by law;
which only is found in text prepared for internal purposes and not disclosed to others;
where disclosure would be in breach of obvious and fundamental private or public interests.
Any denial of access according to the above shall be provided by way of a written explanation.
The right of access according to GDPR Article 15 does not apply to the processing of personal data for archival purposes
in the public interest, purpose related to scientific or historical research or statistical purposes in accordance with GDPR
Article 89. No. 1 so far as:
it will require a disproportionate effort to give access; or
the right of access will make it impossible or seriously impair the achievement of the specific purposes.
The right to rectification and restriction in accordance with GDPR Article 16 and 18 does not apply to processing for
archival purposes in the public domain interest, purposes related to scientific or historical research or statistical purposes
in accordance with GDPR Article 89 No. 1 as far as it is likely that the rights make it impossible or seriously impair the
achievement of the specific purposes.
The above exemptions do not apply if the processing has legal effects or directly has factual effects for the data subject.
Access to employee email
A separate regulation (FOR-2018-07-02-1108) issued under the Working Environmental Act (LOV-2005-06-17-62)
contains the conditions and procedures that have to be followed for accessing employee emails by an employer. Access to
employee email can only take place if there is a legitimate interest or if it is necessary to secure daily operations or if
there is a suspicion that the email has been used in such a manner that it is a clear violation of the working relationship or
could lead to dismissal or termination of employment.
The employee shall, as far as possible, be given notice and be able to participate when access to email is made.
CCTV surveillance in the workplace
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 793 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
A separate regulation (FOR-2018-07-02-1107) has also been adopted under the Working Environmental Act and contains
provisions on the legality of CCTV surveillance in the workplace, notification and deletion obligations, as well as the
legality of transfer of CCTV recordings. CCTV monitoring in the workplace may only take place where it is needed to
prevent dangerous situations from arising and to safeguard the safety of employees or others, or where there otherwise is
a special need for the monitoring. The regulation also applies to dummy cameras.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules and standard contractual clauses. The GDPR has removed
the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of
standard contractual clauses from supervisory authorities. Please note that pursuant to a recent decision in the Court Justice of
the European Union (Case C-311/18 Schrems II) the EU US Privacy Shield Framework may no longer serve as a legal basis for
transfers of personal data between the EEA and USA.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defense of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 794 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymization and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
Data breaches that require notification to the Norwegian DPA, can be notified by completing an online form through
Altinn, a Norwegian internet portal for digital dialogue between businesses and public agencies.
The form is .available online
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
https://www.dlapiperdataprotection.com
https://www.datatilsynet.no/rettigheter-og-plikter/virksomhetenes-plikter/avvikshandtering/melde-avvik-til-datatilsynet/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 795 | | | www.dlapiperdataprotection.com
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
Fines
Fines may be imposed on public authorities. Furthermore the PDA sets out that fines under GDPR will also apply to a
breach of GDPR article 10 (processing of data relating to criminal convictions) and 24 (obligation on the controller to
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 796 | | | www.dlapiperdataprotection.com
implement appropriate technical and organizational measurements to demonstrate that processing is in accordance with
GDPR).
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresse.g.,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (eg,
an email address is likely to be ‘personal data’ for the purposes of the Act).
Pursuant to the Marketing Control Act (LOV-2009-01-09-2, Nw: ) section 15, it is prohibited in the course ofMarkedsføringsloven
trade, without the prior consent of the recipient, to send marketing communications to natural persons using electronic methods
of communication which permit individual communication, such as electronic mail, telefax or automated calling systems (calling
machines).
Prior consent is however not required for electronic mail marketing where there is an existing customer relationship and the
contracting trader has obtained the electronic address of the customer in connection with a sale. The marketing may only relate
to the trader’s own goods, services or other products corresponding to those on which the customer relationship is based.
At the time that the electronic address is obtained, and at the time of any subsequent marketing communication, the customer
shall be given a simple and free opportunity to opt out of receiving such communications.
‘Electronic mail’ in the context of the Marketing Control Act means any communication in the form of text, speech, sound or
image that is sent via an electronic communications network, and that can be stored on the network or in the terminal equipment
of the recipient until the recipient retrieves it. This includes text and multimedia messages sent to mobile telephones.
Direct marketing emails must not conceal or disguise the identity of the sender. If the email is unsolicited, it shall clearly state that
the email contains a marketing message upon receipt of the message (The Norwegian E-Commerce Act (LOV-2003-05-23-35),
Nw: , section 9).Ehandelsloven
ONLINE PRIVACY
Traffic Data
Traffic data is defined in Norwegian Regulation relating to Electronic Communications Networks and Electronic Communications
Services (FOR-2004-02-16-401, Nw: ) section 7-1 as data which is necessary to transfer communication in anEkomforskriften
electronic communications network or for billing of such transfer services.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Norway 797 | | | www.dlapiperdataprotection.com
Processing of traffic data held by a Communications Services Provider (‘CSP’) (Nw: ) may only be performed by individualsTilbyder
tasked with invoicing, traffic management, customer enquiries, marketing of electronic communications networks or the
prevention or detection of fraud.
Traffic Data held by a CSP must be erased or anonymized when it is no longer necessary for the purpose of the transmission of a
communication (Electronic Communications Act (LOV-2003-07-04-83) section 2-7 (Nw: ). However, Traffic Data canEkomloven
be retained if it is being used to provide a value added service and consent has been given for the retention of the Traffic Data.
Location Data
Location data may only be processed subject to explicit consent for the provision of a value added service which is not a public
telephony service, and the users must be given understandable information on which data is processed and how the data is used.
The user shall have the opportunity to withdraw their consent. See Norwegian Regulation relating to Electronic Communications
Networks and Electronic Communications Services section 7-2.
Cookie Compliance
The Electronic Communications Act has been changed in accordance with directive 2009/136/EC regarding the use of cookies.
According to section 2-7 b, the user must give their consent before cookies or any other form of data is stored in their browser.
The users must receive clear and comprehensive information about the use of cookies and the purpose of the storage or access.
However, obtaining user consent is not required if the cookie solely has the purpose of transferring communication in an
electronic network, or if it is deemed to be necessary for the delivery of a service requested by the user. The decision of the
Court Justice of the European Union in case C-673/17 (Planet 49) entails that consent to non-essential cookies no longer can be
expressed through browser settings, at least if the cookie entails processing of personal data. The National Communications
Authority, the authority responsible for supervising the Electronic Communications Act, recommends adhering to the consent
regime of GDPR (i.e. freely given, specific, informed and unambiguous) if a website operator is uncertain of its compliance with
regards to consent.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Petter Bjerke
Partner
T +47 2413 1654
petter.bjerke@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Pakistan 798 | | | www.dlapiperdataprotection.com
PAKISTAN
Last modified 1 February 2021
LAW
Pakistan currently has not enacted data protection legislation per se similar to data protection legislation enacted in other
countries of the world, however the Prevention of Electronic Crimes Act, 2016 (“PECA 2016”) at present serves the same
purpose to a certain extent.
Moreover, a consultation draft of the Personal Data Protection Bill 2020 (“PDPB”) has been introduced by the Ministry of
Information Technology and Telecommunications with a view to having the same being promulgated into law after public
consultation, approval from both Houses of Parliament and receipt of assent from the President of Pakistan.
DEFINITIONS
Definition of personal data
The term “ ” is defined in PECA 2016 in Section 2(xviii) as ““identity information” an information which maypersonal data means
authenticate or identify an individual or an information system enable access to any or information system.”and data
“Data” in PECA 2016 is defined in Section 2(xiii) as ““data” content data and traffic data.”includes
The use of the word ‘include’ in the abovementioned definition of ‘data’ is indicative of the fact that the legislators intended for the
definition of ‘data’ to include content data and traffic data in addition to what the typical dictionary meaning and definition of the
word ‘data’ is.
Hence, identity information means any piece of information that is capable of authenticating or identifying an individual and enable
access to any piece of information that may indirectly assist in authenticating or identifying an individual.
On the other hand, the PDPB defines “ ” as any information that relates directly or indirectly to a data subject, who ispersonal data
identified or identifiable from that information or from that and other information in the possession of a data controller, including
any sensitive personal data. Provided that anonymized, encrypted or pseudonymized data which is incapable of identifying an
individual is not personal data.
For the purpose of clarity, “ ” under the PDPB means a natural person who is the subject of the personal data, whereasdata subject
“ ” means a natural or legal person or the government, who either alone or jointly has the authority to make adata controller
decision on the collection, obtaining, usage or disclosure of personal data.
In addition, the PDPB defines “ ” as information which does not relate to an identified or identifiable natural personanonymized data
or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. The PDPB defines
“ ” as the processing of personal data in such a manner that the personal data can no longer be attributed to apseudonymisation
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Pakistan 799 | | | www.dlapiperdataprotection.com
specific data subject without the use of additional information, provided that such additional information is kept separately and is
subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable
natural person.
It must be noted, however, that the PDPB is yet to be promulgated into law and therefore the content of the promulgated
legislation may differ from the consultation draft.
Definition of sensitive personal data
PECA 2016 does not differentiate between the terms “ ” and “ ”, and therefore a piece ofpersonal data sensitive personal data
information that is considered as “ ” shall be covered under PECA 2016 if the same is capable of beingsensitive personal data
classified as “ ” under the aforementioned legislation.identity information
The PDPB however specifically provides a definition of “ ” to mean and include data relating to access controlsensitive personal data
(username and/or password), financial information such as bank account, credit card, debit card, or other payment instruments,
and, passports, biometric data, and physical, psychological, and mental health conditions, medical records, and any detail pertaining
to an individual’s ethnicity, religious beliefs, or any other information for the purposes of the PDPB and rules made thereunder.
It must be noted, however, that the PDPB is yet to be promulgated into law and therefore the content of the promulgated
legislation may differ from the consultation draft.
NATIONAL DATA PROTECTION AUTHORITY
There is currently no national data protection authority in Pakistan.
However, the PDPB provides for the creation of a Personal Data Protection Authority of Pakistan (“Authority”) within six months
of the coming into force of the PDPB as law.
REGISTRATION
There is currently no registration requirement.
However, the PDPB, which is yet to be promulgated, confers upon the Authority the power to devise the appropriate registration
requirements.
DATA PROTECTION OFFICERS
There is currently no law in force which makes mandatory the appointment of a Data Protection Officer.
However, the PDPB, which is yet to be promulgated into law, recognizes the existence and role of a Data Protection Officer.
COLLECTION & PROCESSING
Section 16 of PECA 2016 (“Section 16”), reproduced below for ease of reference, puts restriction on the collection and
procession of personal data without the consent of the person whose personal data is being collected and processed:
“Whoever obtains, sells, possesses, transmits or uses another person’s identity information without authorization shall be punished
with imprisonment for a term which may extend to three years or with fine which may extend to five million rupees, or with both.”
The PDPB, in addition, provides for the imposition of an obligation upon the data controller to intimate to the data subject the
following: the collection of personal data pertaining to the data subject; the legal basis of such data collection and data processing;
the purpose for such data collection and data processing; the data subject’s right to request access to the personal data so
collected and processed; the data subject’s right to request correction of personal data so collected and processed; the class of
third parties to whom the personal data may be disclosed; the mandatory or voluntary nature of such data collection and data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Pakistan 800 | | | www.dlapiperdataprotection.com
processing; and the consequences of failing to supply such personal data for data collection and data processing where mandatory.
As per the PDPB, where the processing pertains to critical personal data, the PDPB shall (if implemented in its current form)
require the same to be processed in a server or data center within Pakistan.
It must be noted, however, that the PDPB is yet to be promulgated into law and therefore the content of the promulgated
legislation may differ from the consultation draft.
TRANSFER
Section 16 prohibits the transmission of identity information of a person without consent.
In addition, Pakistan prohibits data transfers to any country that it does not recognize, including: Israel, Taiwan, Somaliland,
Nagorno, Karabakh, Transnistria, Abkhazia, Northern Cyprus, Sahrawi Arab Democratic Republic, South Ossetia and Armenia.
This list may change from time to time. Additionally, data transfers to India must be justifiable by the transferor.
Data collated by banks, insurance firms, hospitals, defense establishments and other ‘sensitive’ institutions may not be transferred
to any individual or body without authorization from the relevant regulator on a confidential basis. Such data is further regulated
by contractual terms. In certain cases, data may not be transferred without authorization from the data subject.
However, banks and financial institutions must maintain confidentiality in banking transactions.
Similarly, the PDPB, which is yet to be promulgated, proposes prohibiting the transfer of personal data to unauthorized persons or
systems. Where the transfer of personal data pertains to a transfer to a territory outside of Pakistan, the PDPB would require the
territory where personal data is to be transferred to offer an equivalent degree of personal data protection as that provided for in
Pakistan, provided that such data transfer is done in accordance with a framework for the transfer of personal data outside of
Pakistan as devised by the Authority.
SECURITY
There are currently no additional data security requirements as long as the relevant entities are compliant with the provisions of
PECA 2016.
However, once promulgated, the PDPB would require data collectors and data processors to comply with the standards so
prescribed by the Authority in order to protect personal data.
BREACH NOTIFICATION
There is, at present, no requirement to report data breaches to any individual or regulatory body.
However, the PDPB would, upon coming into force, require the data controller to notify the Authority regarding any personal
data breaches that are likely to result in a risk to the rights and freedoms of the data subject. Moreover, the data processor would
similarly be required to intimate any breach of personal data to the Authority in the event that the data processor is made aware
of such breaches.
ENFORCEMENT
For breaches of provisions of PECA 2016 appropriate relief may be sought through courts of law having jurisdiction in the matter.
Additionally, the PDPB, which is yet to be promulgated, would permit the relevant regulatory authority to exercise all powers
required to enable the same to enforce the provisions of the PDPB.
ELECTRONIC MARKETING
The legislation at present does not provide a comprehensive framework to regulate electronic marketing and the processing or
transmission of any personal data as a result of electronic marketing. Section 25 of PECA 2016 however prohibits any person from
engaging in spamming (including transmission of harmful, fraudulent, misleading, illegal or unsolicited information), though it may be
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Pakistan 801 | | | www.dlapiperdataprotection.com
noted that the aforementioned prohibition is only applicable where such spamming is done by a person for a wrongful gain.
ONLINE PRIVACY
PECA 2016 criminalizes unauthorized access to information systems or data, copying or transmission of data and use of identity
information. PECA 2016 further criminalizes including the transmission of“offenses against the dignity of a natural person,”
information through an information system which “harms the reputation or privacy of a natural person.”
KEY CONTACTS
Liaquat Merchant Associates (LMA)
www.lma.com.pk/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Hira Ahmad
Partner
Liaquat Merchant Associates (LMA)
T +92 21 3583 5101-102-103-104
h.ahmad@lma.com.pk
https://www.dlapiperdataprotection.com
http://www.lma.com.pk/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Panama 802 | | | www.dlapiperdataprotection.com
PANAMA
Last modified 24 January 2022
LAW
Panama has taken significant legislative steps in regulating data protection. Law No. 81 of March 26, 2019, supplemented by
Executive Decree No. 285 of May 28th, 2021 (together the ; the ‘Data ProtectionLey sobre Protección de Datos Personales
Law’), regulates data protection in the Republic of Panama. The Data Protection Law govern the following:
The principles, rights, obligations, and procedures applicable to the protection of personal data in Panama
The individuals or legal entities, whether private or public, who are subject to the Data Protection Law, as well as those
entities that are classified as “regulated subjects” ( , banks, insurance companies, telecommunication providers, etc.)ie
The data subject’s right to access, rectification, cancellation, opposition, and portability
The fines and penalties applicable to those who violate an individual’s right to data protection
As mandated by the Data Protection Law, it’s expected that several sectoral laws will be modified to include certain data
protection terms.
In addition to the Data Protection Law, the following general rules govern data protection:
The Constitution
The Criminal Code
DEFINITIONS
Definition of personal data
Personal Data is defined by the Data Protection Law as the personal information of an individual that identifies him or makes him
identifiable.
Definition of sensitive data
Sensitive Data is defined by the Data Protection Law as the one that refers to the intimate sphere of its owner, or whose
improper use could give rise to discrimination or entail a serious risk for the individual, such as information about the racial or
ethnic origin, beliefs or religious, philosophical and moral convictions; union membership; political opinions; data related to health,
life, sexual preference or orientation, genetic data or biometric data, among others, subject to regulation and aimed at identifying
univocally a natural person.
NATIONAL DATA PROTECTION AUTHORITY
The Data Protection Regulations are enforced and overseen by:
Panama’s National Authority of Transparency and Access to Information (‘ANTA’) through the Directorate for
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Panama 803 | | | www.dlapiperdataprotection.com
the Protection of Personal Data
(Autoridad Nacional de Transparencia y Acceso a la Información)
Del Prado Avenue, Bulding 713, Balboa, Ancon, Panama
T (507) 527-9270 to 74
Protecciondedatos@antai.gob.pa
The National Authority for Government Innovation
in matters related to Information and Communications Technology (ICT)(Autoridad Nacional para la Innovación Gubernamental)
supporting ANTAI
61st Street and Ricardo Arango Avenue, Sucre, Arias y Reyes Bulding, Floor 3
Obarrio, Panama
T (507) 520-7400
administracion@innovacion.gob.pa
REGISTRATION
The Data Protection Law does not include any registration or notification requirement prior to the processing of data before
Panama’s National Authority of Transparency and Access to Information (“ANTAI”). What it does require, is for data controller’s
(known in Panama as the “Responsible of the data treatment”) ( in Spanish) to have the dataResponsable del tratamiento de datos
subject’s consent to the processing of said personal data, as a general principle.
DATA PROTECTION OFFICERS
Appointment of a data protection officer is not required under the Data Protection Law.
COLLECTION & PROCESSING
In Panama, personal information is protected at the constitutional level. The Constitution provides that every person has a right of
access to his / her personal information contained in data banks or public or private registries and to request their correction and
protection, as well as their deletion in accordance with the provisions of the law. It also states that such information may only be
collected for specific purposes, subject to the consent of the person in question, or by order of a competent authority based on
the provisions of the law. The disclosure of personal information without consent is also prohibited by the Panamanian Criminal
Code. Criminal penalties apply to the disclosure of personal information where the disclosure causes harm to the affected
individual.
As per the Data Protection Law, the data subject must consent to the processing of his data and be duly informed of the proposed
use of his personal data. The consent must be obtained in such a way that allows its traceability with documentation, whether
electronic or by any other means that are suitable to the medium of the particular case and can be revoked, without retroactive
effect. If the consent of the data subject is given in the context of a sworn statement that also refers to other matters, the consent
request will be presented in such a way that it is clearly distinguished from the others, in a comprehensible and easily accessible
manner, using a clear and simple language, which will not be binding in any part of the declaration that constitutes an infraction of
the Law and its regulation. Under the Data Protection Law, data subjects need to know how collected personal data will be used.
The Data Protection Law established the following acceptable grounds to justify processing personal data without a person’s
consent:
Those that come or are collected from public domain sources or accessible in public media.
Those that are collected within the exercise of the functions of the Public Administration in the field of their
competences.
Those of an economic, financial, banking or commercial nature that have prior consent.
Those that are contained in lists related to a category of people that is limited to identifying background, such as the
participation of a natural person to an organization, their profession or activity, their educational titles, address or date of
birth.
Those that are necessary within an established commercial relationship, whether for direct attention, marketing or sale of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Panama 804 | | | www.dlapiperdataprotection.com
goods or services agreed.
The processing of personal data by private organizations for the exclusive use of their associates and the entities to which
they are affiliated, for statistical purposes, for pricing or others of general benefit to them.
Cases of medical or health emergencies.
The treatment of information authorized by law for historical, statistical or scientific purposes.
The treatment that is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third
party, provided that such interests do not prevail over the interests or fundamental rights and freedoms of the interested
party that require the protection of personal data, in particular when the interested party is a minor or a person with a
disability.
TRANSFER
With regards to personal data, the Constitution states that individuals must give their consent in order for their personal data to
be transferred or processed in any way.
The Data Protection Law clearly states that in no case may the data controller or the data processor transfer or communicate the
data related to an identified or identifiable person, after seven years have elapsed since the legal obligation of kept said personal
data, unless the data subject expressly requests otherwise. Data controllers can only transfer personal data when they have the
prior, informed and unequivocal consent of the data subject, with the exceptions included in the Data Protection Law.
Additionally, the Data Protection Law states that the transfer of personal data is understood to be lawful, if any of the following
conditions are met:
To have the data subject’s consent.
That the recipient country or international or supranational organization provides an equivalent or a higher level of
protection.
That it is included in a law or treaty in which the Republic of Panama is a party.
That it is necessary for the prevention or medical diagnosis, the provision of health care, medical treatment or the
management of health services.
That it be made to any company of the same economic group of the data controller, provided that the personal data is
not used for different purposes that originated their collection.
That it is necessary under an executed or soon to be executed contract in unambiguous interest of the data subject, by
the controller and a third party.
That it is necessary or legally required for the safeguard of a public interest or for the legal representation of the data
subject or administration of justice.
That is necessary for the recognition, exercise or defense of a right in a judicial process, or in cases of international judicial
collaboration.
That is necessary for the maintenance or fulfilment of a legal relationship between the data controller and the data subject.
That is required to conclude bank or stock transfers, relative to the respective transactions and according to the
legislation that is applicable to them.
That has as its object, international cooperation among intelligence agencies for the fight against organized crime,
terrorism, money laundering, computer crimes, child pornography and drug trafficking.
That the data controller responsible for the data transfer and the recipient adopt mechanisms of binding self-regulation,
provided that they are in accordance with the provisions of the Data Protection Law.
That is carried out within the framework of contractual clauses that contain mechanisms for protection of personal data in
accordance with the provisions set out in the Data Protection Law, provided that the data subject is a party.
In all cases, the data controller responsible for the data transfer and the recipient of the personal data will be responsible for the
legality of the data processing.
SECURITY
In matters of security, data controllers must establish protocols, safe management and transfer processes and procedures to
protect the rights of data subjects under the precepts of this Law. The minimum requirements that must be contained in the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Panama 805 | | | www.dlapiperdataprotection.com
privacy policies, protocols and procedures for data processing and transfer that must be met by the data controller, will be issued
by the regulator of each sector in accordance with this law.
In the event that the treatment or transfer of personal data is carried out through the Internet or any other electronic, digital or
physical means, the data controller or the data processor, whomever applies must comply with the standard certifications,
protocols, technical and management measures appropriate to preserve the security in their systems or networks, in order to
guarantee the levels of protection of personal data as established by the Data Protection Law.
BREACH NOTIFICATION
Operators that manage public networks or that provide communication services available to the public shall guarantee in the
exercise of their activity the protection of personal data in accordance with the Data Protection Law and the regulations that
develop it. They must also adopt the appropriate technical and management measures to preserve the security in the operation of
the network or in the provision of their services, in order to guarantee the levels of protection for the personal data that are
required by the Data Protection Law and its regulations, as well as certifications, protocols, standards and other measures
established by the respective authorities.
In case there is a particular affectation or violation of the security of the network communication system, the operator that
manages such network or provides the communication service will inform the data subjects about said affectation and about the
measures to adopt.
ENFORCEMENT
ANTAI, through a Directorate created for this purpose, is empowered to sanction data controllers or data processors that are
found to have infringed data subject’s rights, in the course of an investigation of complaints filed and proven against them.
Sanctions will be subjected to ANTAI, which will set the amounts of the sanctions applicable to the respective violations,
according to the seriousness of them, which they will establish from a thousand US dollars (USD 1,000.00) up to ten thousand US
dollars (USD 10,000.00).
ELECTRONIC MARKETING
Law No. 51 of July 22nd, 2008, as amended by Law 82 of November 9, 2012 (“Law 51”), and its bylaws establish in the Executive
Decree No. 40 of May 19, 2009 (“Decree 40”) and Executive Decree No. 684 of October 18, 2013 (“Decree 684”) regulate the
electronic documents and electronic signatures, as well as the rendering of data storage services, and the certification of the
electronic signatures, and adopts other dispositions for the development of e-commerce. It establishes that Companies that sell
goods or services in Panama, through the Internet, will be subject to the other provisions of national legislation that apply to them
based on the activity they develop, regardless of the use of electronic means for their realization.
With respect to email advertising, Panamanian law requires that all such emails:
State that they are commercial communications
Include the name of the sender
Set forth the mechanism through which the recipient may choose not to receive any further communications from the
particular sender
These requirements apply to other promotional offers as well.
Further, although opt-out tools are not prohibited, the client’s initial opt-in consent is specifically required if an entity wishes to
use the client’s email for advertising purposes. Further, although no specific prohibition has been enacted with respect to the use
of information for online advertising, obtaining the customer’s consent is always preferable.
ONLINE PRIVACY
The existing regulatory framework does not yet address location data, cookies, local storage objects or other similar
data-gathering tools.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Panama 806 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Galindo, Arias & Lopez
gala.com.pa/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Ramon Ricardo Arias Porras
Galindo, Arias & Lopez
T +507 303 0303
rrarias@gala.com.pa
Beatriz Cabal
Galindo, Arias & Lopez
T +507 303 0303
becabal@gala.com.pa
Jose Luis Sosa
Galindo, Arias & Lopez
T +507 303 0303
jsosa@gala.com.pa
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Paraguay 807 | | | www.dlapiperdataprotection.com
PARAGUAY
Last modified 24 January 2022
LAW
Legal framework
National Constitution, art. 135, Habeas Data: Any person may file an action to have access to (i) personal data about such
person or its property; and (ii) information about the use of such data and purpose for which it is kept, whether it is
stored in public or private data registries. Additionally, any person may request the suppression, correction, confidentiality
or updating of the data where inaccurate or discriminatory;
Criminal Code, art. 174 (Unlawful access to computer systems) and art. 175 (Sabotage of computer systems): individuals
or entities that unlawfully access or alter personal data contained in databases (computer systems) are criminally liable;
Law No. 6534/2020 “of protection of personal credit data” (“ ” or “ ”). ThePersonal Credit Data Protection Law Law
previous data protection regulatory regime lead by Law No. 1682/2001 “which regulates the use of private information”
as amended by laws No. 1969/2002 and 5543/2015 is no longer in force and was replaced in full by the Personal Credit
Data Protection Law (Art. 30 of the Law); and
Law No. 4868/2013 “Electronic Commerce” and its regulatory decree No.(“Electronic Commerce Law”)
1165/2014 (“Regulatory Decree of the Electronic Commerce Law”).
DEFINITIONS
Definition of personal data
Art. 3 of Personal Credit Data Protection Law defines Personal Data or Personal Information as “information of any type that
refers to legal entities or natural persons that are identified or identifiable. An identifiable person shall mean any person who can
be identified by means of an identifier or by one or more elements that characterize the physical, physiological, genetics, mental,
economic, cultural, or social identity of the data subject. The rights and guarantees of personal data protection shall be extended
to legal entities, insofar as they are applicable”.
Definition of sensitive personal data
Sensitive Personal Data is defined as information that refers to the intimate sphere of the data subject, or data that, if misused,
may give rise to discrimination or entail a serious risk for the data subject. Personal data is considered sensitive when it reveals
aspects such as racial and ethnic origin; religious, philosophical and moral beliefs or convictions; trade union memberships; political
opinion; data related to health, life, sexual preference or orientation, genetic or biometric data aimed at uniquely identifying a
natural person.
Personal Credit Data Protection Law further defines Credit Data as ‘information, positive and negative, related to the credit
history of natural persons and legal entities, in relation to credit, commercial and other activities of similar nature, that serves to
identify, correctly and unequivocally, the data subject, his/her address, business activity, determine his/her level of indebtedness,
compliance with his/her financial obligations and, in general, of his/her credit risks, at any given time’.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Paraguay 808 | | | www.dlapiperdataprotection.com
NATIONAL DATA PROTECTION AUTHORITY
There is no National Data Protection Authority in Paraguay.
For activities that are considered to be “electronic commerce” as provided by the Electronic Commerce Law, the national
authority is the General Direction of Digital Signature and Electronic Commerce – Ministry of Industry and Commerce
(“Electronic Commerce Direction”).
REGISTRATION
Under the current legislation, no registration is required in order to process or store personal data.
Even though the Electronic Commerce Law does not establish a registration requirement, according to Art. 7 of the Regulatory
Decree of the Electronic Commerce Law, the Electronic Commerce Direction has the faculty to gather information from
companies that render services via electronic means (such as electronic storage data companies) regarding:
their commercial activity;
their identity; and
other data established in current regulations.
Such companies have the duty to collaborate with the Electronic Commerce Direction and comply with all information
requirements (Art. 8, Regulatory Decree of the Electronic Commerce Law).
DATA PROTECTION OFFICERS
Under current legislation, the appointment of Data Protection Officers is not required.
COLLECTION & PROCESSING
Under the current legal regime, it is prohibited to publicize or diffuse sensitive data of people that are explicitly identified or
identifiable (Art. 4 of Personal Credit Data Protection Law).
The current regulatory regime allows for private use the collection, storage and processing of personal information when it is
lawful, exact, complete, true and updated for the specific purpose for which the data was collected (Art. 7 of the Law). However,
the data subject has to give consent to the collection and use of their personal information, to that effect, the data subject has to
be informed, clearly and expressly, about the purposes their collected personal data will be processed for. The data subject’s
consent may be revoked at any time under the same conditions as it was granted (Art. 6 of the Personal Credit Data Protection
Law).
The Personal Credit Data Protection Law specifically regulates personal credit data collection and processing by Credit Data
Bureaus. Such bureaus have to be fully authorized and registered by the Central Bank in order to be able render credit reference
services ( provision of data related to personal credit information of persons or entities) and may only provide services toie,
specific users ( financial entities, banks, credit agencies, etc.) (Arts. 3, 12, 13 and 14 of the Law).eg,
Furthermore, the Personal Credit Data Protection Law establishes that a Credit Data Bureau may process personal data related
to financial solvency and credit of persons or entities provided that:
the data was provided by the data subject; or
the data subject provided express and written consent; or
the information is related to information that private or governmental entities have the duty to publish; or
the information is public (Art. 13 of the Law).
The Personal Credit Data Protection Law also establishes a duty to the person/entity responsible for collecting and/or storing the
data, to permanently update (when necessary) any personal information regarding the financial situation, solvency and/or the
fulfilment of commercial and financial obligations (Arts. 9 and 11 of the Law). It also provides that the users of Credit Data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Paraguay 809 | | | www.dlapiperdataprotection.com
Bureaus have the obligation to regularly provide to them, updated data on their credit portfolio clients, especially information
related to the compliance with credit obligations, which must be notified within twenty four (24) hours of its cancellation (Art. 14
of the Law).
In addition, the Law establishes that Personal Credit Data which may affect a data subject cannot be stored (and/or publicized) for
more than five (5) years from the date of the recorded event (Art. 9 of the Law).
A data subject has the right to:
access the information and data about themselves, their dependents and/or property;
know the use and purpose of such data; and
where data is incorrect, inexact or misleading, request access, prompt correction, rectification, to withdraw consent and
object to the processing (Art. 5 of Personal Credit Data Protection Law).
In addition, the Regulatory Decree of the Electronic Commerce Law establishes that the data subject’s express consent is required
in order to obtain any personal information (Art. 13). Accordingly, electronic collection, storage and processing data companies
(and other companies that render services via electronic means who collect personal data), have the duty to inform to the data
subject about:
the purposes for which the personal data are collected; and
how the personal data colelcted will be processed.
TRANSFER
The Personal Credit Data Protection Law establishes that international transfers of personal data to a recipient that is in a third
country (as defined under the Law), or to an international organization where the guarantees, requirements and/or exceptions
established in the Law are not met, is a violation of applicable data protection law and, thus, can be subject to sanctions (Art. 21.x.
of the Law).
Under current legislation, there are no other specific provisions that regulate the transfer of private information. However, the
transfer of private information is considered as a form of data processing, so the same rules than for collection and processing
personal data applies (Art. 3.e. of the Law – definition treatment of data).
SECURITY
Under current legislation, there are no specific security requirements regarding the protection of private information. However,
Art. 10 of the Law establishes that the person or entity responsible of the treatment of personal credit data shall guarantee the
adoption and implementation of the necessary technical, organization, and security measures to protect the access and integrity of
personal data in order to prevent its alteration, loss, commercialization and not authorized access.
The Regulatory Decree of the Electronic Commerce Law also establishes that companies that render services via electronic means
(that also collect or process personal or private data), have the duty to:
inform to the recipient of such data, of the person in charge of its custody and storage; and
implement secure systems to avoid the unauthorized loss, alteration and/or third party access to such data (Art. 11).
Additionally, such companies have the duty to inform consumers and users (in a transparent, clear and simple manner) regarding
the specifics of:
the level of security and the applicable privacy policy covering the permanent protection of personal data; and
security measures and technology used to protect the means of payment and the transfer, processing and/or storage of
financial data (Art. 12).
BREACH NOTIFICATION
No data breach notification obligation exists under the current data protection regime.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Paraguay 810 | | | www.dlapiperdataprotection.com
ENFORCEMENT
The current legal regime contemplates the following enforcement mechanisms:
Without the need of a court order, a data subject has the right to (i) access the information and data about themselves,
their dependents and/or property and know how such data is used; and (ii) request the correction and suppression of the
information Art. 5 and 8 of Personal Credit Data Protection Law). Data controllers and processors must establish simple,
fast, accessible and free of charge procedures, to enable data subjects to exercise their rights. However, where the data
subject’s efforts in obtaining the above are unsuccessful, it may bring court actions to compel access to personal data and
request the correction, suppression or updating of such data; and
Violations against obligations established under the Personal Credit Data Protection Law and the Electronic Commerce
Law are subject to fines.
The enforcement authorities for the enforcement of the Personal Credit Data Protection Law are the Central Bank of Paraguay (‘
‘) and the National Secretariat of Consumer and User Defense (‘ ‘). The BCP has authority to further regulate,BCP SEDECO
interpret and enforce the Law (Art. 20 of Personal Credit Data Protection Law).
ELECTRONIC MARKETING
The Electronic Commerce Law requires that all marketing communications and promotional offers:
state that they are commercial communications;
include the name of the sender; and
provide a mechanism through which the recipient may choose not to receive any further communications from the
particular sender.
Additionally, the communication shall state that the recipent’s private data was obtained without violating privacy rights.
Electronic Marketing is also subject to general marketing and advertising related provisions of the Consumer’s Protection Law.
ONLINE PRIVACY
Art. 30.3. of the Electronic Commerce Law requires suppliers of goods and services ,which use data storage and recovery devices,
to clearly and thoroughly inform users and consumers about the use of and purposes regarding the collected data and provide
data subjects the ability to object to the use(opt-out) of their personal data through a simple procedure and free of charge.
Other than the rule mentioned above, the current legal framework does not specifically address location data, cookies, local
storage objects or other similar data-gathering tools.
KEY CONTACTS
Jorge Angulo
Junior Partner
Fiorio, Cardozo & Alvarado Law Firm
jorge.angulo@fca.com.py
Francisca Peroni
Associate
Fiorio, Cardozo & Alvarado Law Firm
francisca.peroni@fca.com.py
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Paraguay 811 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Peru 812 | | | www.dlapiperdataprotection.com
PERU
Last modified 24 January 2022
LAW
Article 2 of the Political Constitution of Peru sets forth certain fundamental rights that every person has, including a right to
privacy regarding information that affects personal and family privacy, which was the basis for the creation of a law that specifically
protects the use of personal data of any natural person and applies to both private and state entities.
The Personal Data Protection Law N° 29733 (PDPL) was enacted in June 2011. In March 2013, the Supreme Decree N°
003-2013-JUS-Regulation of the PDLP (Regulation) was published in order to develop, clarify and expand on the requirements of
the PDPL and set forth specific rules, terms and provisions regarding data protection.
Together, the PDLP and its Regulation are the primary data protection laws in Peru.
Further, the law regulating private risk centers and the protection of the owner of the information is Law Nº 27489, enacted in
2001 and later amended several times. This law establishes the applicable provisions for activities related to risk centers and
companies that handle:
Information posing higher risks to individuals ( , related to financial, commercial, tax, employment or insuranceeg
obligations or background of a natural or legal person that allows evaluating its economic solvency), and
Sensitive personal data (according to the PDPL)
DEFINITIONS
Definition of personal data
Personal data is defined as information — regardless of whether numerical, alphabetic, graphic, photographic, acoustic — about
personal habits or any other kind of information about an individual that identifies or may identify such individual by any reasonable
means.
Definition of sensitive personal data
Sensitive personal data includes all of the following:
Personal data created through biometric data which by itself renders a data subject identifiable
Personal data regarding an individual’s physical or emotional characteristics, facts or circumstances of their emotional or
family life, as well as personal habits that correspond to the most intimate sphere
Data referring to racial and ethnic origin
Economic income, opinions or political, religious, philosophical or moral convictions
Union membership
Information related to physical or mental health, to sexual life or other similar information that affect the data subject’s
privacy
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Peru 813 | | | www.dlapiperdataprotection.com
NATIONAL DATA PROTECTION AUTHORITY
The Directorate for the Protection of personal data, which is part of the General Directorate of Transparency, Access to Public
Information and Protection of Personal Data (NDPA), is the primary agency in charge of enforcing data protection matters.
The NDPA’s current address is:
Scipion Llona 350
Miraflores, L-18
Lima
Peru
Website
REGISTRATION
The National Registry for the Protection of Personal Data (NRPDP) maintains information about personal databases of public or
private ownership and publishes a list of such databases to facilitate individuals’ exercise of their rights of access to information,
rectification, cancellation, opposition and others regulated in the PDPL and its Regulation.
In addition, the NRPDP maintains records of:
Communications of cross-border flow of personal data
The codes of conduct of the holders of personal databases, and
The sanctions, precautionary or corrective measures imposed by the NDPA
The holders of personal databases must register in the NRPDP providing the following information:
The name and location of the personal database
The purposes and the intended uses of the database
The identification of the owner of the personal database
The categories and types of personal data to be processed
Collection procedures and a description of the system for processing personal data
The technical description of the security measures
The recipients of personal data transfers
The cross-border transfer of personal data must be notified to the NDPA, including the information required for the transfer of
data and registration of the database.
DATA PROTECTION OFFICERS
There is no requirement to appoint a data protection officer. However, when a company is registering its personal data bank
before the authority, can report that it has a Security Manager of that data bank.
COLLECTION & PROCESSING
The collection and processing of personal data requires the data subject’s prior, informed, express and unequivocal consent. The
consent may be expressed through electronic means.
The collection and processing of sensitive personal data requires the data subject’s prior, informed, express and unequivocal
consent, and must be expressed in writing.
The data subject’s consent is not necessary if any of the following are true:
The data are compiled or transferred for the fulfillment of governmental agency duties
The data are contained or destined to be contained in a publicly available source
https://www.dlapiperdataprotection.com
https://www.minjus.gob.pe/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Peru 814 | | | www.dlapiperdataprotection.com
The data are related to credit standing and financial solvency, as governed by applicable law (Law Nº 27489)
A law is enacted to promote competition in regulated markets, under the powers afforded by the Framework Law for
Regulatory Bodies of Private Investmenton Public Services (Law Nº 27332), provided that the information supplied does
not breach the user’s privacy
The data are necessary for a contractual, scientific or professional relationship with the data subject, provided that such
data is necessary for the development and compliance with such relationship
The data are needed to protect the health of the data subject, and data processing is necessary, in circumstances of risk,
for prevention, diagnosis, and medical or surgical treatment, provided that the processing is carried out in health facilities
or by professionals in health sciences observing professional secrecy
The data are needed for public interest reasons declared by law or public health reasons (both must be declared as such
by the Ministry of Health) or to conduct epidemiological studies or the like, as long as dissociation procedures are applied
The data are dissociated or anonymized
The data are used by a nonprofit organization with a political, religious, ortrade union purpose, and refer to the data of its
members within the scope of the organization´s activities
The data are necessary to safeguard the legitimate interest of the data subject orthe data handler
The data are being processed for purposes linked to money laundering and terrorist financing or others that respond to a
legal mandate
In the case of economic groups made up of companies that are considered subjects obliged to inform, the data is
processed in accordance with the rules that regulate the Financial Intelligence Unit, so that they may share information
with each other about their respective clients to prevent money laundering and financing of terrorism (as well as in other
instances of regulatory compliance, establishing adequate safeguards on the confidentiality and use of the information
exchanged)
When the treatment is carried out in a constitutionally valid exercise of the fundamental right to freedom of information
Others expressly established by law
If the data controller outsources the processing of the personal data to a third party ( a processor), such party must also complyie,
with the relevant requirements of the PDLP ( , to maintain personal data as confidential and to use the personal data only for theeg
purposes authorized and modify inaccurate information).
Upon termination or expiration of the outsourcing agreement, the personal data processed must be deleted, unless the data
subject provides express consent to do otherwise.
The processing of personal data by cloud services, applications and infrastructure is permitted, provided compliance with the
provisions of the PDPL and its Regulation is guaranteed.
TRANSFER
Where personal data is transferred to another entity, recipients must be required to handle such personal data in accordance with
the provisions of the PDPL and its Regulation.
Generally, data subject consent is required.
Cross-border transfers
The transferring entity may not transfer personal data to a country that does not afford adequate protection levels (protections
that are equivalent to those afforded by the PDPL or similar international standards). If the receiving country does not meet these
standards, the sender must ensure that the receiver in the foreign country is contractually obligated to provide
‘adequate protection levels’ to the personal data, such as via a written agreement that requires that the personal data will be
protected in accordance with the requirements of the PDPL, or under one of the following circumstances:
In accordance with international treaties in which Peru is a party
For purposes of international judicial cooperation or international cooperation among intelligence agencies to combat
Terrorism
Drug trafficking
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Peru 815 | | | www.dlapiperdataprotection.com
Money laundry
Corruption
Human trafficking, and
Other forms of organized crime
When necessary for a contractual relationship with the data subject, or for a scientific or professional relationship
Bank or stock transfers concerning transactions in accordance with the applicable law
The transfer is performed to protect, prevent, diagnose or medically or surgically treat the data subject, or to perform
studies of epidemiology or the like, provided a data dissociation procedure has been applied
The owner of the personal data has given its prior, informed, express and unequivocal consent to the transfer to the
inadequate jurisdiction
Other exempt purposes established by the Regulations
For both domestic and cross-border transfers, the recipient must assume the same obligations as the transferor of the personal
data. The transfer must be formalized, such as by binding written contract, and capable of demonstrating that the holder of the
database or the data controller communicated to the recipients the conditions in which the data subject consented to their
processing.
SECURITY
Database holders and data handlers must adopt technical, organizational and legal measures necessary to guarantee the security of
the personal data they hold. The measures taken must ensure a level of security appropriate to the nature and purpose of the
personal data involved.
The Agency has passed a Directorial Resolution Nº 019-2013-JUS/DGPDP (hereafter, the ‘Security Directive’). This Security
Directive establishes different standards depending on the features of the database, including:
Number of data subjects whose data are contained in the database
Number of fields of the database (eg, name, address, phone number)
Existence of sensitive data
Owner of the database (an individual or entity)
The following security measures must be taken with respect to the loss of a personal data bank:
Backup copies of personal data must be made to allow recovery in case of loss or destruction
Any recovery of personal data, from the backup, must have the authorization of the person in charge of the personal data
bank
Proof of recovery of personal data must be performed to verify that backup copies can be used if they are required
For digital information, it is important to mention that the computer systems that handle databases or process personal data must
include in their operation records that keep all types of interaction with logical data, so as to identify the users, changes,
consultations, starting and closing hours of a session and other actions that are carried out. These records will allow the access of
competent, authorized and identified personnel only.
Further, it is necessary to establish the following:
Security measures related to the authorized accesses to the data by procedures of identification and authentication that
guarantee the confidentiality and integrity of the data
Necessary mechanisms for correct application of the procedures for making backup copies and recovery of the data in
order to guarantee the reconstruction in the status they had at the time of the loss or destruction
The applicable measures in which the information must be processed, stored or transmitted—taking into account the controls,
policies, standards and recommendations related to physical and environmental security—are established in the following
documents:
Peruvian Technical Standards ‘NTP- ISO/IEC 17799: 2007 EDI. Technology of Information. Code of Good Practice for the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Peru 816 | | | www.dlapiperdataprotection.com
management of the security of the information. 2nd Edition’
‘NTP ISO/IEC 27001: 2008 EDI Technology of Information. Security Techniques. Systems of Management of Information
Security. Requisites.’
BREACH NOTIFICATION
The holder of a database (and processor, where applicable) is required to implement security measures to prevent the
unauthorized access to personal data.
As a consequence, an implied obligation would be to adopt all corrective measures in the event of a data breach to minimize the
damages it may cause to the data subjects. For that reasons, the Security Directive establishes security measures against:
The loss of the personal database, and
An unauthorized processing of the personal database
In this way, any case of data breach should be communicated to the data subjects as soon as it is confirmed. The database owner
must inform the data subject of ‘any incident that significantly affects their property or their moral rights’, as soon as the
occurrence of the incident is confirmed.
The minimum information to be provided in a notice includes a description of:
The incident
Personal data disclosed
Recommendations to the data subject
Corrective measures implemented
Mandatory breach notification
No breach notification to the NDPA is required.
ENFORCEMENT
The General Directorate of Sanctions (part of the NDPA) instructs on and resolves, in the first instance, violations and imposes
sanctions as well as conducts and develops the research phase according to Article 115 of the Regulation of the PDLP.
The General Directorate for the Protection of personal data (also part of the NDPA) resolves in the second and last instance the
sanctioning procedure and its decision exhausts the administrative route.
Possible sanctions for breaching data protection standards vary depending on the nature or magnitude of the offense:
The fine applicable to minor infringement ranges from S/ 2,300 to S/ 23,000 (approximately between USD 575 and USD
5,775)
The fine applicable to severe infringements ranges from S/ 23,000 to S/ 230,000 (approximately between USD 5,750 and
USD 57,500)
The fine applicable to very severe infringements ranges from S/ 230,000 to S/ 460,000 (approximately between USD
57,500 and USD 115,000)
The NDPA is also authorized to impose additional fines up to S/ 46,000 (approximately USD 11,500), if the offender, despite being
found liable and sanctioned as a consequence thereof, fails to remedy the unlawful practice. These are applicable in addition to civil
and criminal liability.
ELECTRONIC MARKETING
The PDPL does not expressly regulate electronic marketing. However, the PDPL does apply to electronic marketing activities if
personal data is processed as a result.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Peru 817 | | | www.dlapiperdataprotection.com
If consent is obtained through electronic media, the notice requirements can be met by publishing accessible and identifiable
privacy policies with the relevant consent language and mechanism. The PDPL establishes the possibility of obtaining express
consent by presenting the option to agree with the privacy policies in clickable ways ( , by clicking, ticking a box).eg
Written consent may be provided by other options, including:
Through an electronic signature
A written document possible to read or print
A mechanism or procedure that allows one to identify the subject and to receive his consent through a written text
A pre-established text as long as it is easily visible, legible and written in simple language
The laws governing electronic signatures are:
Law N° 27291
The Digital Certificates and Signatures Law (Law N° 27269)
Supreme Decree N° 052-2008-PCM
Note that expressing the will in any of the regulated forms does not eliminate the other requirements of consent referring to that
consent must be informed, and freely given.
According to the Consumer Protection Code Law N° 29571, the following commercial activities require prior, informed, express
and unequivocal consent to promote products and services:
Use of call centers
Use of telephone call systems
Bulk text messages or emails
Telemarketing services
It is permitted to obtain personal information from public sources or by licit means in order to contact the data subjects to
gettheir consent for the aforementioned commercial activities. Notwithstanding the foregoing, whenever the data subject does not
grant its consent for commercial activities, it must not be contacted again for those purposes.
Furthermore, easily accessible and free mechanisms must be implemented to allow the data subjects to revoke their consent for
the commercial purposes.
ONLINE PRIVACY
The PDPL does not expressly regulate online privacy, including cookies and location data. However, the PDPL will apply if
personal data is collected and processed using these mechanisms.
This requires that the use and deployment of cookies, location data or another personal data that will be collected must comply
with data privacy laws. The data subject’s consent must be obtained before cookies and/or location data can be used.
With respect to criminal law enforcement, Legislative Decree N° 1182 permits the National Police of Peru to access the location
and geolocation of mobile phones or electronic devices of similar nature in cases of .flagrante delicto
It establishes the obligation for public communications services providers and public entities to keep the data from their users
derived from telecommunication services during the first 12 months in computer systems an additional period of 24 months in an
electronic storage system. Such service providers are bound to provide the location and geolocation data immediately, 24 hours a
day, 365 days of the year, under warning of being liable to the responsibilities regarded by law in the event of noncompliance.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Peru 818 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Ricardo Escobar
Partner
DLA Piper Pizarro Botto Escobar
T +1 511 616 1200
rescobar@dlapiperpbe.com
Daniel Flores
Associate
DLA Piper Pizarro Botto Escobar
T +1 511 616 1200
dflores@dlapiperpbe.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Philippines 819 | | | www.dlapiperdataprotection.com
PHILIPPINES
Last modified 17 December 2021
LAW
The Data Privacy Act of 2012 (“ ” or “ ”) or Republic Act No. 10173, which took effect on 8 September 2012, is theAct DPA
governing law on data privacy matters in the Philippines.
In 2021, the House of Representatives of the Philippines approved and transmitted to the Philippine Senate a bill seeking to amend
the DPA. The proposed amendments broadly include:
Defining biometric and genetic data.
Redefining “sensitive personal information” to include biometric and genetic data, and political and labor affiliation.
Clarifying the extraterritorial application of the DPA by specifying clear instances when the processing of personal data of
Philippine citizens and/or residents is concerned.
Defining the digital age of consent to process personal information as more than fifteen (15) years, applicable where
information society services are provided and offered directly to a child.
Including the performance of a contract as a new criterion of the lawful basis for processing of sensitive personal
information.
Allowing Personal Information Controllers (“ ”) outside of the Philippines to authorize Personal InformationPIC
Processors (“ ”) or any other third party in the country, in writing, to report data breaches to the National PrivacyPIP
Commission (“ ”) on behalf of the PIC.NPC
Modifying criminal penalties under the DPA, giving the proper courts the option to impose either imprisonment or fine
upon its sound judgment.
The said bill remains pending before the Philippine Senate.
There is another bill pending before the Philippine Senate likewise seeking to amend the DPA. Specifically, the bill seeks to exclude
the applicability of the DPA to personal information and sensitive personal information that are necessary to address a health crisis
during a period of a declared national emergency or pandemic.
Given the rigorous process of passing a law in the Philippines, and particularly considering the upcoming national elections in May
2022, there are no indications that either of these pending bills will be passed into law within the next 12 months.
DEFINITIONS
Definition of personal information
Personal Information is defined in the Act as ‘any information whether recorded in a material form or not, from which the identity
of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put
together with other information would directly and certainly identify an individual.’
The Act, in addition to defining ‘Personal Information’ that is covered by the law, also expressly excludes certain information from
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Philippines 820 | | | www.dlapiperdataprotection.com
its coverage. These are:
information about any individual who is or was an officer or employee of a government institution that relates to the
position or functions of the individual, including:
the fact that the individual is or was an officer or employee of the government institution
the title, business address and office telephone number of the individual
the classification, salary range and responsibilities of the position held by the individual, and
the name of the individual on a document prepared by the individual in the course of employment with the
government.
information about an individual who is or was performing services under contract for a government institution that relates
to the services performed, including the terms of the contract, and the name of the individual given in the course of the
performance of those services
information relating to any discretionary benefit of a financial nature such as the granting of a license or permit given by
the government to an individual, including the name of the individual and the exact nature of the benefit
personal information processed for journalistic, artistic, literary or research purposes (intended for a public benefit)
information necessary in order to carry out the functions of a public authority which includes the processing of personal
data for the performance by the independent, central monetary authority and law enforcement and regulatory agencies of
their constitutionally and statutorily mandated functions. Nothing in this Act shall be construed as to have amended or
repealed Republic Act No. 1405, otherwise known as the Secrecy of Bank Deposits Act; Republic Act No. 6426,
otherwise known as the Foreign Currency Deposit Act; and Republic Act No. 9510, otherwise known as the Credit
Information System Act (” “).CISA
information necessary for banks and other financial institutions under the jurisdiction of the independent, central
monetary authority or Bangko Sentral ng Pilipinas to comply with Republic Act No. 9510, and Republic Act No. 9160, as
amended, otherwise known as the Anti-Money Laundering Act and other applicable laws, and
personal information originally collected from residents of foreign jurisdictions in accordance with the laws of those
foreign jurisdictions, including any applicable data privacy laws, which is being processed in the Philippines.
Definition of sensitive personal information
“Sensitive personal information” is defined in the Act as personal information:
about an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations
about an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offence committed
or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such
proceedings issued by government agencies peculiar to an individual which includes, but not limited to, social security
numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns,
and specifically established by an executive order or an act of Congress to be kept classified.
NATIONAL DATA PROTECTION AUTHORITY
The National Privacy Commission (“ ” or ) is an independent body mandated to administer and implement theNPC Commission
Act, and to monitor and ensure compliance of the country with international standards set for personal data protection. The NPC
was created in 2016 and the implementing rules and regulations of the Act took effect in the same year.
REGISTRATION
All persons engaged in the processing of personal data within and outside the Philippines shall appoint a Data Protection Officer (
). “DPO”
Mandatory registration of data processing systems shall be required from a PIC or PIP if it is processing personal data and
operating in the country under any of the following conditions:
the PIC or PIP employs at least two hundred fifty (250) employees;
the processing includes sensitive personal information of at least one thousand (1,000) individuals;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Philippines 821 | | | www.dlapiperdataprotection.com
the processing is likely to pose a risk to the rights and freedoms of data subjects. Processing operations that pose a risk to
data subjects include those that involve:
information that would likely affect national security, public safety, public order, or public health;
information required by applicable laws or rules to be confidential;
vulnerable data subjects like minors, the mentally ill, asylum seekers, the elderly, patients, those involving criminal
offenses, or in any other case where an imbalance exists in the relationship between a data subject and a PIC or
PIP;
automated decision-making; or
profiling;
the processing is not occasional: Provided, that processing shall be considered occasional if it is only incidental to the
mandate or function of the PIC or PIP, or, it only occurs under specific circumstances and is not regularly performed.
Processing that constitutes a core activity of a PIC or PIP, or is integral thereto, will not be considered occasional: In
determining the existence of the foregoing conditions, relevant factors, such as the number of employees, or the records
of individuals whose sensitive personal information are being processed, shall only be considered if they are physically
located in the Philippines. Data processing systems that involve automated decision-making shall, in all instances, be
registered with the NPC. For all other data processing systems whereby the processing is likely to pose a risk to the
rights and freedoms of data subjects and is not occasional (as discussed above), the Commission shall determine the
specific sectors, industries, or entities that shall be covered by mandatory registration.
The initial list of such sectors, industries, or entities, may be . found here
This list shall be regularly reviewed and may be updated by the NPC through subsequent issuances.
The NPC has yet to establish or develop a system that would enable the PIC or PIP to register their personal data processing
systems with the NPC.
DATA PROTECTION OFFICERS
The personal information controller of an organization must appoint a person or persons who shall be accountable for the
organization’s compliance with the Act, and the identity of such person or persons must be disclosed to the data subjects upon
the latter’s request. The Act does not specifically provide for the citizenship and residency of the data protection officer. The Act
likewise does not specifically provide for penalties relating to the incorrect appointment of data protection officers.
For a specific step-by-step guideline on the registration of an entity’s DPO, please .click here
COLLECTION & PROCESSING
The collection and processing of Personal Information must comply with the general principle that Personal Information must be:
collected for specified and legitimate purposes determined and declared before, or as soon as reasonably practicable after
collection, and later processed in a way compatible with such declared, specified and legitimate purposes only
processed fairly and lawfully
accurate, relevant and, where necessary for purposes for which it is to be used the processing of personal information,
kept up to date; inaccurate or incomplete data must be rectified, supplemented, destroyed or their further processing
restricted
adequate and not excessive in relation to the purposes for which they are collected and processed
retained only for as long as necessary for the fulfillment of the purposes for which the data was obtained or for the
establishment, exercise or defense of legal claims, or for legitimate business purposes, or as provided by law, and
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the
https://www.dlapiperdataprotection.com
https://www.privacy.gov.ph/wp-content/uploads/2017/08/NPC17-01_Appendix-1
https://www.privacy.gov.ph/guidelines-on-dpo-registration-process/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Philippines 822 | | | www.dlapiperdataprotection.com
data were collected and processed:
provided that personal information collected for other purposes may lie processed for historical, statistical or
scientific purposes, and in cases laid down in law may be stored for longer periods, and
provided, further, that adequate safeguards are guaranteed by said laws authorizing their processing.
In addition, the processing of Personal Information must meet the following criteria, otherwise, such processing becomes
prohibited:
the data subject has given his or her consent
the processing of personal information is necessary and is related to the fulfillment of a contract with the data subject or
in order to take steps at the request of the data subject prior to entering into a contract
the processing is necessary for compliance with a legal obligation to which the personal information controller is subject
the processing is necessary to protect vitally important interests of the data subject, including life and health
the processing is necessary in order to respond to national emergency, to comply with the requirements of public order
and safety, or to fulfill functions of public authority which necessarily includes the processing of personal data for the
fulfillment of its mandate, or
the processing is necessary for the purposes of the legitimate interests pursued by the personal information controller or
by a third party or parties to whom the data is disclosed, except where such interests are overridden by fundamental
rights and freedoms of the data subject which require protection under the Philippine Constitution.
The processing of Sensitive Personal Information is prohibited, except in the following cases:
the data subject has given his or her specific consent prior to the processing, or in the case of privileged information, all
parties to the exchange have given their consent prior to processing
the processing is provided for by existing laws and regulations, provided that such regulatory enactments guarantee the
protection of the sensitive personal information and the privileged information, and the consent of the data subjects is not
required by law or regulation permitting the processing of the sensitive personal information or the privileged information
the processing is necessary to protect the life and health of the data subject or another person, and the data subject is not
legally or physically able to express his or her consent prior to the processing
the processing is necessary to achieve the lawful and non-commercial objectives of public organizations and their
associations, provided:
such processing is only confined and related to the bona fide members of these organizations or their associations
the sensitive personal data are not transferred to third parties, and
the consent of the data subject was obtained prior to processing
the processing is necessary for purposes of medical treatment, is carried out by a medical practitioner or a medical
treatment institution, and an adequate level of protection of personal information is ensured, or
the processing concerns such personal information as is necessary for the protection of lawful rights and interests of
natural or legal persons in court proceedings, or the establishment, exercise or defense of legal claims, or when provided
to government or public authority.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Philippines 823 | | | www.dlapiperdataprotection.com
TRANSFER
The transfer of Personal Information is permitted without any restrictions or prerequisites, but the personal information
controller remains responsible for Personal Information under its control or custody that have been transferred to a third party
for processing, whether domestically or internationally, subject to cross-border arrangement and cooperation.
SECURITY
The personal information controller must implement reasonable and appropriate organizational, physical and technical measures to
protect Personal Information against any type of accidental or unlawful destruction, such as from accidental loss, unlawful access,
fraudulent misuse, unlawful destruction, alteration, contamination and disclosure, as well as against any other unlawful processing.
The determination of the appropriate level of security must take into account the nature of the Personal Information to be
protected, the risks represented by the processing, the size of the organization and complexity of its operations, current data
privacy best practices and the cost of security implementation.
In addition, the security measures to be implemented must include the following, which are subject to guidelines that the NPC
may issue:
safeguards to protect its computer network against accidental, unlawful or unauthorized usage or interference with or
hindering of their functioning or availability
a security policy with respect to the processing of personal information
a process for identifying and accessing reasonably foreseeable vulnerabilities in its computer networks, and for taking
preventive, corrective and mitigating action against security incidents that can lead to a security breach, and
regular monitoring for security breaches and a process for taking preventive, corrective and mitigating action against
security incidents that can lead to a security breach.
The personal information controller is obligated to ensure that third parties processing personal information on its behalf shall
implement the security measures required by the Act.
The obligation to maintain strict confidentiality of personal information that are not intended for public disclosure extends to the
employees, agents or representatives of a personal information controller who are involved in the processing of such personal
information.
BREACH NOTIFICATION
The personal information controller is required to promptly notify the NPC and the affected data subjects when it has reasonable
belief that Sensitive Personal Information or other information has been acquired by an unauthorized person, and that:
such personal information may, under the circumstances, be used to enable identity fraud, and
the personal information controller or the NPC believes that such unauthorized acquisition is likely to give rise to a real
risk of serious harm to any affected data subject.
The notification shall at least describe the nature of the breach, the sensitive personal information possibly involved, and the
measures taken by the entity to address the breach.
Notification may be delayed only to the extent necessary to determine the scope of the breach, to prevent further disclosures, or
to restore reasonable integrity to the information and communications system. The NPC may also authorize postponement of
notification where such notification may hinder the progress of a criminal investigation related to a serious breach.
Notification is not required if the NPC determines:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Philippines 824 | | | www.dlapiperdataprotection.com
that notification is unwarranted after taking into account compliance by the personal information controller with the Act
and the existence of good faith in the acquisition of personal information, or
in the reasonable judgment of the NPC, such notification would not be in the public interest or in the interests of the
affected data subjects.
ENFORCEMENT
The NPC is responsible for ensuring compliance of the personal information controller with the Act. It has the power to receive
complaints, institute investigations, facilitate or enable settlement of complaints through the use of alternative dispute resolution
processes, adjudicate, award indemnity on matters affecting any personal information, prepare reports on disposition of complaints
and resolution of any investigation it initiates, and, in cases it deems appropriate, publicize any such report. Additionally, the NPC
can issue cease and desist orders, impose a temporary or permanent ban on the processing of personal information, upon finding
that the processing will be detrimental to national security and public interest.
The NPC, however, cannot prosecute violators for breach of the Act for which criminal penalties can be imposed. The
Department of Justice is tasked with the prosecution for violations of the Act that are punishable with criminal sanctions.
The following actions are punishable by the Act with imprisonment in varying duration plus a monetary penalty:
processing of Personal Information or Sensitive Personal Information:
without the consent of the data subject or without being authorized by the Act or any existing law, or
for purposes not authorized by the data subject or otherwise authorized under the Act or under existing laws
providing access to Personal Information or Sensitive Personal Information due to negligence and without being
authorized under this Act or any existing law
knowingly or negligently disposing, discarding or abandoning the Personal Information or Sensitive Personal Information of
an individual in an area accessible to the public or has otherwise placed the personal information of an individual in its
container for trash collection
knowingly and unlawfully, or violating data confidentiality and security data systems, breaking in any way into any system
where Personal and Sensitive Personal Information is stored
concealing the fact of such security breach, whether intentionally or by omission, after having knowledge of a security
breach and of the obligation to notify the NPC pursuant to Section 20(f) of the Act
disclosing by any personal information controller or personal information processor or any of its officials, employees or
agents, to a third party Personal Information or Sensitive Personal Information without the consent of the data subject and
without malice or bad faith, and
disclosing, with malice or in bad faith, by any personal information controller or personal information processor or any of
its officials, employees or agents of unwarranted or false information relative to any Personal Information or Sensitive
Personal Information obtained by him or her.
ELECTRONIC MARKETING
In 2008, the Department of Trade and Industry, the Department of Health, and the Department of Agriculture issued a joint
administrative order implementing the Consumer Act of the Philippines (Republic Act No. 7394) and the E-Commerce Act
(Republic Act No. 8792). The Joint DTI-DOH-DA Administrative Order No. 01 (the ‘Administrative Order’) provides rules and
regulations protecting consumers during online transactions, particularly on the purchase of products and services. It covers both
local and foreign-based retailers and sellers engaged in e-commerce.
The Administrative Order particularly requires retailers, sellers, distributors, suppliers or manufacturers engaged in electronic
commerce with consumers to refrain from engaging in any false, deceptive and misleading advertisement prohibited under the
provisions of the Consumer Act of the Philippines.
In line with the Administrative Order’s provision on fair marketing and advertising practices, retailers, sellers, distributors,
suppliers or manufacturers engaged in electronic commerce are mandated to provide:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Philippines 825 | | | www.dlapiperdataprotection.com
fair, accurate, clear and easily accessible information describing the products or services offered for sale such as the
nature, quality and quantity thereof
fair, accurate, clear and easily accessible information sufficient to enable consumers to make an informed decision whether
or not to enter into the transaction, and
such information that allows consumers to maintain an adequate record of the information about the products and
services offered for sale
A data subject must be provided with specific information regarding the processing of his personal data for direct marketing. In
fact, the data subject shall have the right to object to the processing of his or her personal data, including processing for direct
marketing.
ONLINE PRIVACY
The Cybercrime Prevention Act of 2012 (“CPA”) is the first law in the Philippines which specifically criminalizes computer crimes.
The law aims to address legal issues concerning online interactions. The CPA does not define nor does it particularly refer to
online privacy, however, it penalizes acts that violate an individual’s rights to online privacy, particularly those interferences against
the confidentiality, integrity and availability of computer data and systems.
Section 4(c)(3) of the CPA, which provides that unsolicited commercial communications is generally a cybercrime offense
punishable under the CPA, was struck down by the Supreme Court for violating the constitutionally guaranteed freedom
of expression.
All data to be collected or seized or disclosed will require a court warrant. The court warrant shall only be issued or granted
upon written application and the examination under oath or affirmation of the applicant and the witnesses he may produce
showing that there are:
reasonable grounds to believe that any of the crimes penalized by the CPA has been committed, or is being committed, or
is about to be committed
reasonable grounds to believe that evidence that will be obtained is essential to the conviction of any person for, or to the
solution of, or to the prevention of, any such crimes, and
no other means readily available for obtaining such evidence.
The integrity of traffic data shall be preserved for a minimum period of six months from the date of the transaction.
Courts may issue a warrant for the disclosure of traffic data if such disclosure is necessary and relevant for the purposes of
investigation in relation to a valid complaint officially docketed.
No law in this jurisdiction currently deals with the subject of location data or the regulation of the use of cookies.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Philippines 826 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Romulo Mabanta Buenaventura Sayoc & De Los Angeles
www.romulo.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Catherine Beatrice O. King Kay
Senior Associate
Romulo Mabanta Buenaventura Sayoc & De Los Angeles
T +63 2 8555 9555
Catherine.Kingkay@romulo.com
Jesse Eleazar D. Tantoco
Associate
Romulo Mabanta Buenaventura Sayoc & De Los Angeles
T +63 2 8555 9555
Jesse.Tantoco@romulo.com
https://www.dlapiperdataprotection.com
http://www.romulo.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 827 | | | www.dlapiperdataprotection.com
POLAND
Last modified 17 January 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However,
there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own
domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the
Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
As a member of the European Union, Poland implemented the EU Data Protection Directive 95/46/EC in the Personal
Data Protection Act of August 29, 1997 (consolidated text: Journal of Laws of 2016, item 922, “ ”).previous PDPA
In relation to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC (“ ”), on September 12, 2017, two draft acts on personal data protection law wereGDPR
published in Poland. The first one was the draft of the new Personal Data Protection Act of 10 May 2018 (Journal of Laws
of 2019, item 1781 (“ ”) which came into force on May 25, 2018, while the second was the Act on the amendmentsPDPA
to sectorial acts accompanying the GDPR of 21 February 2019, containing amendments to over 160, sectorial regulations,
including banking, insurance and labour law (Journal of Laws of 2019, item 730 “ ”), which came intoImplementing act
force on 4 May 2019.
The two new pieces of legislation are aimed at implementing the GDPR into the Polish legal order, as well as regulating
the matters in which the GDPR leaves a certain regulatory freedom for EU Member States. The new PDPA establishes a
new supervisory body – the President of the Office for Personal Data Protection (hereinafter referred to as the “ Polish
”), which has a much wider range of powers than the previous DPA (Inspector General for the Protection ofDPA
Personal Data – hereinafter referred to as the Inspector General).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 828 | | | www.dlapiperdataprotection.com
A number of provisions of the Telecommunications Act of 16 July 2004 (consolidated text: Journal of Laws 2018, item
1954, hereinafter referred to as the “ ”) are applicable to the processing of personal data byTelecommunications Act
providers of publicly available telecommunications services and a number of sector specific statutes relating to, among
others, employment and banking matters also contain specific regulations on the processing of personal data.
The amendments to the sectorial regulations included in the Implementing act affected, among others, employment,
banking and insurance regulations. The act has been passed on February 21, 2019 and entered into force on May 4, 2019.
DEFINITIONS
Personal data is defined as ” ” (Article 4). A low bar is set forany information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the of personal data. Processing has an extremely wide meaning, and includes any set ofprocessing
operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a or a . The controller is the decision maker, the person who “controller processor
” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The Implementing act does not include any local derogations to the definitions set out in GDPR.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
CNIL in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29
Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the
EU, issuing guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of . Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called lead supervisory authority (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other concerned authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 829 | | | www.dlapiperdataprotection.com
The President of the Office for Personal Data Protection.
Office of the President for Personal Data Protection
Urzad Ochrony Danych Osobowych
Stawki 2
00-193 Warsaw
Poland
Tel. +48 22 531 03 00
Fax +48 22 531 03 01
kancelaria@uodo.gov.pl
Helpline (in Polish only): phone no. +48 606-950-000 is open from Monday to Friday from 10 am to 2 pm.
The Office of the President is open from Monday to Friday from 8 am to 4 pm.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
Under the previous PDPA (in force until May 25, 2018), as a general rule, data controllers that process personal data were
obligated to notify the Inspector General about the data filing system containing that data. The Inspector General kept a
register of data controllers and data filing systems, which was available to the public.
This obligation does not longer exists under the new PDPA and the Implementing act.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 830 | | | www.dlapiperdataprotection.com
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have expert knowledge (Article 37(5)) of data protection laws and practices, though it is possible to outsource the
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
According to the new PDPA, the appointment of a Data Protection Officer (DPO) must be notified to the supervisory
authority within 14 days. The notification should include the name and email address of the DPO or his or her phone
number. Any changes to the information provided or the dismissal of a DPO should also be notified within 14 days. The
entity who appointed the DPO shall make available the DPO’s details on its website or in a generally accessible manner at
a place of pursuit of activity (if it does not have its own website). According to official guidance from the Polish DPA, the
contact details of the DPO should be easily accessible, not hidden somewhere in long documents such as a privacy policy
etc.
The Implementing act includes the possibility to designate a person to replace the DPO during their absence (eg
, temporary absence). However, it would be necessary to inform the Polish DPA about the designation in the same way as
about the designation of a DPO. All rules and requirements for DPOs, such as the ones stated in article 37 of the GDPR
or the obligation to inform the Polish DPA are also applicable to this person.
If a person was officially appointed as an Information Security Officer (ABI) under the previous PDPA, this person
automatically became a DPO for the data controller until September 1, 2018, and provided that the appointment was
notified to the President of the Office before that date, the person continues to serve as a DPO after that date.
If the data controller is obliged to appoint a DPO in accordance with Article 37 of the GDPR but did not appoint one
under the previous PDPA, the appointment of the DPO should have taken place and been notified to the President of the
Office before July 31, 2018.
COLLECTION & PROCESSING
Data protection principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (purpose limitation principle)
Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 831 | | | www.dlapiperdataprotection.com
Accurate and where necessary kept up-to-date (accuracy principle)
Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (storage limitation principle)
Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (integrity and confidentiality principle)
The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle).
Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and
appropriate governance will all form a key role in achieving accountability.
Legal basis under article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
With the consent of the data subject (where consent must be ” ” and must befreely given, specific, informed and unambiguous,
capable of being withdrawn at any time)
Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract
Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies)
Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller
Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)
Special category data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
With the explicit consent of the data subject
Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement
Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent
In limited circumstances by certain not-for-profit bodies
Where processing relates to the personal data which are manifestly made public by the data subject
Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in
their legal capacity
Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards
Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices
Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1)
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 832 | | | www.dlapiperdataprotection.com
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal convictions and offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a secondary purpose
Increasingly, organizations wish to re-purpose personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
Any link between the original purpose and the new purpose
The context in which the data have been collected
The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions
are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
The possible consequences of the new processing for the data subjects
The existence of appropriate safeguards, which may include encryption or pseudonymization
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (privacy notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
The identity and contact details of the controller
The data protection officer’s contact details (if there is one)
Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing
The recipients or categories of recipients of the personal data
Details of international transfers
The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability
Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
The consequences of failing to provide data necessary to enter into a contract
The existence of any automated decision making and profiling and the consequences for the data subject
In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 833 | | | www.dlapiperdataprotection.com
a.
b.
c.
Rights of the data subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision taking, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
Necessary for entering into or performing a contract
Authorized by EU or Member State law
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 834 | | | www.dlapiperdataprotection.com
c. The data subject has given their explicit ( opt-in) consentie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
The new PDPA includes some derogations from the GDPR. However, the draft of the Implementation act is likely to
introduce more provisions which elaborate on the provisions of the GDPR on the collection and processing of personal
data. It is important to note that the Polish legislator has decided to include derogations regarding labour law both in the
new PDPA and in the Implementation act.
The new PDPA contains provisions amending, among others, the Labour Code. These provisions provide for
circumstances under which the employer can carry out video surveillance, email monitoring and other
employee monitoring activities. Video surveillance may be implemented if it is necessary to ensure the safety of employees
or the protection of property or production control or to keep information, the disclosure of which could cause damage
to the employer, confidential. Monitoring of work emails may be implemented if it is necessary to ensure maximum work
efficiency and the proper use of work tools made available to the employees. The scope, means and purposes of the
employee monitoring must be provided to the employees via workplace regulations or other, exhaustively listed, means at
least two weeks before the monitoring starts. The legality of a particular monitoring scheme should be assessed on a
case-by-case basis.
The new PDPA also prescribes the maximum retention period of the information obtained from video monitoring (it must
not be stored indefinitely). The mater can be retained for three months after the recording took place, unless the
recording constitutes (or may constitute) evidence in legal proceedings. In this case, the material may be stored until the
final decision in the proceedings is issued. In relation to the retention period of information obtained via any other form of
employee monitoring, the general rules of the GDPR apply – the material can be retained as long as is reasonably needed
for the purposes for which it was collected. The remaining changes to the Labour Code are included in the
Implementation act.
For example, the employer may process the personal data of its employees or job applicants referred to in Article 9(1)
with consent however only if the data was given on the data subject’s own initiative. Another significant amendment is to
the scope of data requested when applying for a job. Although address as well as parents’ names are no longer needed,
contact details should be provided. Changes in video surveillance would allow an employer to locate cameras in sanitary
areas upon prior consent from the enterprise trade union or the employee representative who has been chosen in the
way prescribed by an employer. However, the monitoring shall not cover the premises made available to the enterprise
trade union.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay, New Zealand and Japan.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes among others binding corporate rules, standard contractual clauses, and the EU-US Privacy Shield
Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and in
some cases seek prior approval of standard contractual clauses from supervisory authorities.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 835 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
a.
b.
c.
d.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
Explicit informed consent has been obtained
The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person
The transfer is necessary for important reasons of public interest
The transfer is necessary for the establishment, exercise or defense of legal claims
The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
The transfer is made from a register which according to EU or Member State law is intended to provide information to
the public, subject to certain conditions
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State. A transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
In the case of the transfer of personal data to a third country, the Implementing act does not impose any additional
requirements concerning notifications to or registrations with the President of the Office.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organizational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident,
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing
The Implementing Act does not include any derogations from the GDPR.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 836 | | | www.dlapiperdataprotection.com
and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
In Poland, the breach notification obligations under the Telecommunications Act were replaced by the breach notification
obligations under the terms specified in Commission Regulation (EU) No. 611/2013 of June 24, 2013 regarding measures
applicable to notification of personal data breaches under Directive 2002/58/ EC of the European Parliament and of the
Council on privacy and electronic communications (Regulation 611/2013).
A personal data breach should be reported by the provider of telecommunications services to the President of the Office
immediately, and no later than 24 hours after the detection of the personal data breach. This deadline results from Article
2 section (2) of the Regulation 611/2013. Because this period is shorter than the period indicated in the GDPR,
telecommunications undertakings will have to make every effort to send the information required by law within 24, not
72, hours. Therefore, the personal data breach should be notified electronically by filling out the appropriate form.
If a data breach could have a negative impact on the rights of a subscriber or end user (i.e., a natural person), the service
provider should also – immediately (i.e., without undue delay) inform the subscriber or end user about the breach (in
addition to informing the President of the Office) on terms established in Regulation 611/2013.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define undertaking and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinized carefully to understand the interpretation of undertaking. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called look through liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 837 | | | www.dlapiperdataprotection.com
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
The basic principles for processing including conditions for consent
Data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
Any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
The President of the Office is responsible for the enforcement of Polish data protection law and as such is entitled to
carry out audits of data controllers in order to determine their compliance with the regulations on the protection of
personal data and to impose administrative fines, by means of an administrative decision, pursuant to Article 83 of the
GDPR.
The new PDPA provides for a lower level of fines that can be imposed on public authorities for breaching the GDPR – the
maximum amount is PLN 100,000 (approx. EUR 25,000).
The new PDPA maintains criminal liability for individuals who process personal data:
where such processing is forbidden or where he or she is not authorized to carry out such processing; in this
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 838 | | | www.dlapiperdataprotection.com
case, the person may be liable to a fine, a partial restriction of liberty, or imprisonment of up to two years (or
three years if special categories of personal data are processed).
and who prevents or hinders the performance of inspection activities conducted by the President of the Office (or
its delegated inspectors); in this case the person may be liable to a fine, a restriction of liberty, or imprisonment of
up to two years.
As only individuals (and not legal entities) may be prosecuted for criminal offences, the person who may potentially face
criminal charges would be a member of the management board (the person performing the role of data controller in a
legal entity) or an employee authorized to process personal data ( , a data protection officer or human resourceseg
officer).
In 2019, five administrative fines were issued by the Polish DPA.
The first one was issued on 15 March 2019 and concerned a private company processing data gathered from publicly
available sources for the purpose of providing its clients with reports on other business entities. As a main concern, the
Polish DPA indicated non-compliance with the information obligations from Art. 14 of the GDPR, in particular the
exception listed in Art. 14 sec. 5 of the GDPR. As a result, a fine of approximately EUR 220,017 was issued. The company
lodged an appeal following the decision. As of December 2019, the administrative court has issued a decision stating that
the Polish DPA has to re-examine the amount of fine, but also upholding the main points of the decision, in particular
concerning the invalid use of the exception listed in Art. 14 sec. 5 of the GDPR, c and the proceedings are ongoing.
The second fine was issued on 25 April 2019. The case concerned a football association which erroneously made personal
data of football referees available, in particular the national personal identification number (PESEL) which is considered
sensitive data and indicated as a major risk factor in case of a breach. The amount of fine was EUR 13,000.
The third fine was the highest so far – EUR 660,000. The decision was issued against an online retailer, whose online
platform was subject to a hacking attack, resulting in a large amount of personal records to be leaked online. The
subsequent proceedings indicated that the organizational and technical measures taken by the retailer were not
appropriate to the risk posed by the processing of personal data. Additionally, the Polish DPA questioned the measures
taken by the retailer following the incident as inadequate. The company appealed against the fine to the administrative
court, however in this case the court upheld the decision. The company’s lawyers might appeal further – to the Supreme
Administrative Court. It was commented that the administrative court should in fact pose judicial questions to the CJEU.
The fourth fine was issued against a company providing marketing services (text messages, e-mails, online campaigns)in
relation to its complicated procedure for withdrawing the data subject’s consent, which was assessed by the Polish DPA
as an obstruction of the right to withdraw consent. This company was fined EUR 47,000.
The last fine in 2019 was the first one to be issued against a public entity – a local municipality was fined for not entering
into data processing agreements with the external entities to which it transferred personal data. The amount of the
administrative fine was approximately EUR 9,328.
In 2020, the Polish DPA issued nine administrative fines. Most of them were connected with a failure to provide
information to the Polish DPA or lack of cooperation with the authority.
The first fine was imposed on a school which used a biometric reader at the entrance to its canteen in order to check
whether children had paid for their meal. The Polish DPA considered such data processing as disproportionate with
respect to its purpose. The school was fined ca. EUR 4,700.
The second fine was imposed on a company from the telemarketing industry as a result of its insufficient cooperation with
the authority. This company was fined ca. EUR 4,700.
The third fine was imposed on a person running a nursery and pre-school who failed to provide the Polish DPA with
access to personal data and other information necessary for it to perform its tasks – in this case, to assess whether the
data controller communicated a data breach to the data subject in accordance with the GDPR. The person was fined ca.
EUR 1,700.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 839 | | | www.dlapiperdataprotection.com
The fourth fine was imposed on the owner of a website for failing to provide the DPA with access to personal data and
other information necessary for it to perform its tasks. This was the first cross-border case handled by the Polish DPA.
The owner of the website was fined EUR 3,400.
The next two fines were imposed the Surveyor General of Poland (“GGK”) in two separate proceedings. The first fine
was connected with a failure to provide the supervisory authority – during an inspection – with access to premises, data
processing equipment, personal data and information necessary for the Polish DPA to perform its tasks. Furthermore,
GGK did not cooperate with the Polish DPA during the inspection. As a result, GGK was fined EUR 22,700. A second fine
of the same amount was imposed due to an infringement of the principle of lawfulness of personal data processing and
intentionally making personal data available without a legal basis on the Internet (www.geoportal2.pl).
The seventh fine was connected with a personal data breach at the Warsaw University of Life Sciences (SGGW), mainly
due to insufficient technical and organisational measures to ensure information security. The university was fined EUR
11,200.
The eighth fine was imposed on a provider of telecommunications services for the lack of appropriate technical and
organisational measures to ensure the security of the data it was processing. The company was fined EUR 444,000 – the
biggest fine of 2020.
The last fine of 2020 was imposed on an insurance and reinsurance company for the insufficient fulfilment of data breach
notification obligations. The Polish DPA received information from a third party about a personal data breach which
consisted in the sending by email of an insurance policy by an insurance agent (a data processor of the insurance and
reinsurance company) to an unauthorised addressee. Five months after the breach happened, the insurance and
reinsurance company itself notified the DPA about the data breach and the two persons affected by it. The Polish DPA
considered this as a long-lasting breach, which constitutes an aggravating circumstance, and the company was fined EUR
18,930.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
Electronic marketing activities are subject to the regulation of Polish data protection law, i.e. the Act of July 18, 2002 on
Providing Services by Electronic Means (consolidated text: Journal of Laws of 2018, item 123, hereinafter referred to as
the PSEM) and the Telecommunications Act.
The processing of personal data for its own marketing purposes by a data controller (as well as other companies from the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 840 | | | www.dlapiperdataprotection.com
group) may be based on Article 6 sec. 1(f) of the GDPR – legitimate interests of the data controller, and it does not
require separate consent. However, the data subject may always object to such processing. Nevertheless, if marketing
activities relate to products and services of third parties, prior consent for such processing is necessary.
Apart from consent to the processing of personal data (if it is required), the PSEM imposes an obligation to obtain
separate consent to the sending of commercial information by electronic means, ( , by email and SMS) to a specifiedeg
recipient (natural person). Therefore, a service provider is obliged to obtain the relevant consent before sending the
commercial information (by email or SMS) to a natural person. On the other hand, it is permitted to send such
information without prior consent to recipients that are legal persons to a general email addresses (such as
office@company.com) and to a specific employee’s business email address (such as name.surname@company.com).
According to the Implementing act, the consent under the PSEM must comply with the GDPR requirements as regards
the format. Sending commercial information without consent is considered to be an act of unfair competition and a
service provider should be able to provide evidence that it has obtained consent.
Pursuant to the Telecommunications Act, using end telecommunications devices (for instance, to present a marketing
offer during a telephone call) or automated calling systems for direct marketing requires the obtaining of another consent
declaration from the recipient (subscriber or end user). In practice, the relationship between the abovementioned
regulations (especially between the provisions of the new PDPA and the Telecommunications Act) and the scope of
particular consent declarations that should be obtained by service providers is not perfectly clear in this regard. However,
it seems that, generally, the consent to direct marketing by means of telecommunications devices and automated calling
systems should be obtained separately from the consent to the processing of personal data (if required) and to consent to
the sending of commercial information by electronic means. According to the Implementing act, the consent of the
subscriber or the end user must comply with the GDPR requirements as regards the format.
ONLINE PRIVACY
The Telecommunications Act regulates the collection of transmission and location data and the use of cookies (and similar
technologies).
Transmission data
The processing of transmission data (understood as data processed for the purpose of transferring messages within
telecommunications networks or charging payments for telecommunications services, including location data, which should be
understood as any data processed in a telecommunications network or as a part of telecommunications services indicating the
geographic location of the terminal equipment of a user of publicly available telecommunications services) for marketing
telecommunications services or for providing value-added services is permitted if the user (i.e. subscriber or end user) gives his or
her consent.
Location data
In order to use data about location (understood as location data beyond the data necessary for message transmission or billing), a
provider of publicly available telecommunications services has to:
Obtain the consent of the user to process data about location concerning this user, which may be withdrawn for a given
period or in relation to a given call, or
Anonymize this data.
A provider of publicly available telecommunications services is obliged to inform the user, prior to receiving its consent, about the
type of data about location which is to be processed, about the purpose and time limits of the processing, and whether this data is
to be passed on to another entity in order to provide a value-added service.
Processing data about location may only be performed by entities that:
Are authorized by a public telecommunications network operator
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 841 | | | www.dlapiperdataprotection.com
Are authorized by a provider of publicly available telecommunications services
Provide a value-added service
Data about location may be processed only for purposes necessary to provide value-added services.
Cookies
The use and storage of cookies and similar technologies is only allowed on the condition that:
The subscriber or the end user is directly informed in advance in an unambiguous, simple and understandable manner
about:
The purpose of storing and the manner of gaining access to this information
The possibility to define the condition of the storing or the gaining of access to this information by using settings of the
software installed on his or her telecommunications terminal equipment or service configuration
The subscriber or end user, having obtained the information referred to above, gives his/her consent, and
The stored information or the gaining of access to this information does not cause changes in the configuration of the
subscriber’s or end user’s telecommunications terminal equipment or in the software installed on this equipment (the end
user may grant consent by using the settings of the software installed in the final telecommunications device that he/she
uses or by the service configuration)
The consent of the subscriber or end user is not required if storage or gaining access to cookies is necessary for:
Transmitting a message using a public telecommunications network
Delivering a service rendered electronically, as required by the subscriber or the end user
Entities providing telecommunications services or services by electronic means may install software on the subscriber’s or end
user’s terminal equipment intended for using these services or use this software, provided that the subscriber or end user:
Is directly informed, before the installation of the software, in an unambiguous, simple and understandable manner, about
the purpose of installing this software and about the manner in which the service provider uses this software
Is directly informed, in an unambiguous, simple and understandable manner, about the manner in which the software may
be removed from the end user’s or subscriber’s terminal equipment
Gives its consent to the installation and use of the software prior to its installation
According the current draft of the second act, the consent of the subscriber or the end user must comply with the GDPR
requirements as regards the format. The legislative procedure is still ongoing and we will update you once the final version of the
amendments takes shape.
Enforcement and sanctions
A company that processes transmission data contrary to the Telecommunications Act or fails to meet obligations to obtain
consent to process data about location or to store and to gain access to cookies may be subject to a fine of up to 3% of the
company’s revenues for the previous calendar year. The fine is imposed by the President of the OEC. In addition, the President of
the OEC may impose a fine on a person holding a managerial position in the company (such as a member of the management
board) of up to 300% of his or her monthly remuneration.
Enforcement and sanctions
Failing to meet the obligations to obtain consent to direct marketing by means of telecommunications devices and
automated calling systems may be subject to a fine of up to 3% of the revenues of the fined company for the previous
calendar year. The fine is imposed by the President of the Office of Electronic Communication (hereinafter referred to as
the President of the OEC). In addition, the President of the OEC may impose a fine on a person holding a managerial
position in the company (such as a member of the management board) of up to 300% of his or her monthly remuneration.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Poland 842 | | | www.dlapiperdataprotection.com
Sending marketing information by electronic means without the consent of the recipient may be subject to a fine of up to
PLN 5,000 (approx. EUR 1,200) under the provisions of the PSEM and is considered to be an act of unfair competition (ie
, a practice that infringes collective consumer interests) and thus may be subject to a fine of up to 10% of the revenues of
the fined company for the previous calendar year (subject to separate regulations).
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Ewa Kurowska-Tober
Partner, Global Co-Chair Data Protection, Privacy and Security Group
T +48 22 540 74 1502
ewa.kurowska-tober@dlapiper.com
Magdalena Koniarska
Senior Associate
T +48 22 540 78 19
magdalena.koniarska@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 843 | | | www.dlapiperdataprotection.com
PORTUGAL
Last modified 17 January 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two-year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A Regulation (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States. However,
there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own
domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the
Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
Currently, processing of personal data in Portugal is governed by GDPR and Law no 58/2019 of 8 August, ensuring the
execution of GDPR in Portugal. However, local supervisory authority (CNPD) issued the Decision 494/2019 deciding not
to apply certain provisions of such law as they were considered in contradiction with GDPR:
article 2(1) and (2): scope of the Law;
article 20(1): duty of secrecy;
article 23: processing of personal data by public entities for different purposes;
article 28(3)(a): consent of employee in an employment context;
article 37(1)(a)(h)(k) and (2): misdemeanors and applicable sanctions;
article 38(1)(b) and (2): misdemeanors and applicable sanctions;
article 39(1) and (3): misdemeanors and applicable sanctions;
article 61(2): connection between the expiry of consent and termination of the agreement (for existing
agreements);
article 62(2): revocation of provisions requiring prior authorization or notification to CNPD with effect from the
date of entry into force of the GDPR.
Furthermore, Law no 59/2019 of 8 August contains provisions related with personal data processing for purposes of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 844 | | | www.dlapiperdataprotection.com
prevention, detection, investigation and repression of criminal offenses and for purposes of execution of criminal
sanctions, transposing EU Directive 2016/680 of the European Parliament and the Council of 27, April, 2016.
Relevant data protection provisions in the context of electronic communications may also be found in Law 41/2004, of 18
August (Law on the processing of personal data and the protection of privacy in the electronic communications, as
amended by Law 46/2012, of 29 August and enacted pursuant to Directive 2002/58/EC) (with subsequent amendments
arising from Article 2 of Directive 2009/136/EC).
DEFINITIONS
Personal data is defined as ” ” (Article 4). A low bar is set forany information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the of personal data. Processing has an extremely wide meaning, and includes any set ofprocessing
operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a or a . The controller is the decision maker, the person who “controller processor
” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of . Where there is cross-border processing of personal data (lead supervisory authority ie,
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called lead supervisory authority (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other concerned authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 845 | | | www.dlapiperdataprotection.com
Comissão Nacional de Proteção de Dados (‘National Commission for the Protection of Data’. also known as ‘CNPD’).
Av. D. Carlos I, 134 – 1.º
1200-651 Lisboa
T +351 21 392 84 00
F +351 21 397 68 32
geral@cnpd.pt
www.cnpd.pt
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( processing ofeg,
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
Under the prior Personal Data Protection Law, as a general rule, data controllers who process personal data should notify
such activity to the supervisory authority (CNPD), unless a specific exemption applies. Although there is some doctrine
supporting that the prior obligations of notification still apply, the majority understanding and the local supervisory
authority’s formal position is that such obligations are no longer applicable.
Under Law no 58/2019 of 8 August, the implementation video surveillance systems with sound recording is not allowed
except in cases where the monitored premises are closed or there is prior authorization from the supervisory authority.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have expert knowledge (Article 37(5)) of data protection law and practices, though it is possible to outsource the
https://www.dlapiperdataprotection.com
http://www.cnpd.pt/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 846 | | | www.dlapiperdataprotection.com
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalized for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
In accordance with Law no 58/2019 of 8 August, the appointment of a Data Protection Officer (DPO) shall follow the
requirements provided in article 37 (5) of GDPR. No professional certification is required and the DPO is bound by
professional secrecy. In addition to the functions described in GDPR, DPO’s shall ensure the conduction of audits, inform
the users of the importance of data breaches detection and ensure the relation with the data subjects in relation to
matters covered by GDPR and data protection national laws.
For the purposes of the mandatory notification of the data protection officer to the supervisory authority, in the context
of Article 37 (7) of the GDPR, the supervisory authority established the applicable procedure for notification. A specific
form made available by the supervisory authority on its website should be completed and submitted online (the form is
).available here
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
Processed lawfully, fairly and in a transparent manner (lawfulness, fairness and transparency principle)
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (purpose limitation principle)
Adequate, relevant and limited to what is necessary in relation to the purpose(s) (data minimization principle)
Accurate and where necessary kept up-to-date (accuracy principle)
Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (storage limitation principle)
Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (integrity and confidentiality principle)
The controller is responsible for and must be able to demonstrate compliance with the above principles (accountability principle).
Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping, audit and
appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
https://www.dlapiperdataprotection.com
https://www.cnpd.pt/DPO/(X(1)S(d2cdwej4020romx2gqes1vdk))/Default.aspx?AspxAutoDetectCookieSupport=1
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 847 | | | www.dlapiperdataprotection.com
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
With the consent of the data subject (where consent must be ” ” and must befreely given, specific, informed and unambiguous,
capable of being withdrawn at any time)
Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract
Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
Where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited
to ‘life or death’ scenarios, such as medical emergencies)
Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller
Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
With the explicit consent of the data subject
Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement
Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent
In limited circumstances by certain not-for-profit bodies
Where processing relates to the personal data which are manifestly made public by the data subject
Where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in
their legal capacity
Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards
Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices
Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1)
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organizations wish to re-purpose personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 848 | | | www.dlapiperdataprotection.com
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
Any link between the original purpose and the new purpose
The context in which the data have been collected
The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions
are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
The possible consequences of the new processing for the data subjects
The existence of appropriate safeguards, which may include encryption or pseudonymization
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, the right for a data subject to understand how and why his or herie,
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
The identity and contact details of the controller
The data protection officer’s contact details (if there is one)
Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing
The recipients or categories of recipients of the personal data
Details of international transfers
The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability
Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
The consequences of failing to provide data necessary to enter into a contract
The existence of any automated decision making and profiling and the consequences for the data subject
In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
while others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 849 | | | www.dlapiperdataprotection.com
1.
2.
3.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( commonly used file formats recognized by mainstream software applications, such as .xsl).eg,
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision taking, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
Necessary for entering into or performing a contract
Authorized by EU or Member State law
The data subject has given their explicit ( opt-in) consentie,
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Personal data may only be processed if any of the GDPR lawful bases apply.
Moreover, the data controller must provide the data subject with all the relevant processing information under the GDPR.
In accordance with Law no 58/2019 of 8 August, the processing of children’s personal data based on consent in the scope
of the direct provision of information of society services is only allowed where children are 13 years of age or above.
Below 13 years, legal representatives’ consent is required.
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 850 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
Regarding the processing of health and genetic data, such data may only be processed on a need to know basis. In the
cases provided for by Article 9(2)(h) and (i) GDPR (ie, where the processing is necessary for the purposes of preventative
or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of
health or social care of treatment or the management of health or social care systems or for reasons of public interest in
the area of public health), the processing must be carried out by or under the responsibility of a professional who is
subject to the obligation of secrecy or by other person bound by a confidentiality obligation, and appropriate information
security measures must be ensured. The access to health and genetic data is exclusively made through electronic means
unless in case of technical impossibility or under express instructions contrary from the data subject, not being allowed
the subsequent transfer or disclosure.
Without prejudice of specific laws and regulations stating the mandatory implementation of video surveillance systems,
under Law no 58/2019 of 8 August, the same shall only be implemented for purposes of people and goods protection and
for compliance with the legal requirements provided in Law no. 34/2013 of 16, may as well as in Law no 58/2019 of 8
August.
The Personal data retention period is provided by law or regulation or, in case there is no specific law or regulation, it will
correspond to the period in which the personal data is needed in view of the purposes of processing. In case the personal
data is needed for purposes of evidence of contractual obligations or of other nature, personal data shall only be retained
until the limitation period of the respective rights has not elapsed.
Specific legal provisions apply in the scope of employment relationships, notably in relation to video surveillance systems
and processing of biometric data.
As concerns data subjects’ rights, these shall follow GDPR requirements, establishing Law no 58/2019 of 8 August that the
right to data portability provided for in Article 20 of the GDPR only comprises the personal data provided by the
respective data subjects and shall be provided, wherever possible, in an open format.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay, New Zealand, Japan and the United
Kingdom (with a “sunset clause”).
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes among others binding corporate rules and standard contractual clauses. The EU-US Privacy Shield
Framework does not constitute an appropriate safeguard for transferring personal data to the USA since the European
Commission Decision 2016/1250 (which was the legal basis for the EU-US Privacy Shield) has been invalidated by the European
Court of Justice on 16 July 2020 (Case C-311/18, ). The GDPR has removed the need which existed in some MemberSchrems II
States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory
authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
Explicit informed consent has been obtained
The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 851 | | | www.dlapiperdataprotection.com
d.
e.
f.
g.
a.
b.
c.
d.
The transfer is necessary for important reasons of public interest
The transfer is necessary for the establishment, exercise or defense of legal claims
The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
The transfer is made from a register which according to EU or Member State law is intended to provide information to
the public, subject to certain conditions
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognized
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State. A transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
Transfers to non-EU/EEA countries or international organizations follow GDPR rules. In respect of transfers of personal
data to third countries or international organizations, where the processing is necessary for compliance with a legal
obligation and where it is carried out by public entities in the exercise of authority powers, said transfers shall be
considered as in the public interest.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
The security measures shall follow GDPR provisions. Law no 58/2019 of 8 August also provides that health databases or
centralised registers based on single platforms should meet the security and integrity requirements provided for by the
GDPR.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 852 | | | www.dlapiperdataprotection.com
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organization’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
Personal data breach notifications are required in the circumstances provided in Article 33, GDPR. The supervisory
authority set out the procedure for a personal data breach notification. A specific form on the supervisory authority’s
website should be completed and submitted only (the form is ).available here
Also Law 41/2004, of 18 August (as amended) establishes that companies that provide electronic communications services
accessible to the public shall, without undue delay, notify the Data Protection Authority (CNPD) of a personal data
breach. When the personal data breach may affect negatively the subscriber’s or user’s personal data, companies providing
electronic communications services to the public should also, without undue delay, notify the breach to the subscriber or
user so that they can take the necessary precautions.
For these purposes, a negative effect on personal data exists when the breach may result namely in theft or identity fraud,
physical harm, significant humiliation or damage to reputation.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinized carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
https://www.dlapiperdataprotection.com
https://www.cnpd.pt/DataBreach/?AspxAutoDetectCookieSupport=1
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 853 | | | www.dlapiperdataprotection.com
The basic principles for processing including conditions for consent
Data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
Any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
CNPD is the supervisory authority responsible for the enforcement of personal data protection laws and regulations in
Portugal. Failure to comply with applicable data protection and privacy legal requirements may result in criminal, civil and
administrative liability. Law no 58/2019 of 8 August contains provisions related with civil administrative and criminal
liability :
(a) The use of personal data in a manner that is incompatible with the purposes of collection, unauthorized access, or
deviation of personal data; the vitiation or erasure of personal data; the insertion of false data, the violation of the duty of
secrecy and disobedience, constitute crimes punishable by a prison sentence of up to four years or a fine of up to 480
days. In general terms, legal persons and similar entities have criminal liability.
(b) Any person who has suffered damages due to the unlawful processing of personal data or any other act that violates
the provisions of the GDPR or of the national law on personal data protection, has the right to compensation from the
data controller or the processor for the damage suffered.
(c) Very serious administrative offences shall be punishable with a fine:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 854 | | | www.dlapiperdataprotection.com
From EUR 5,000 to EUR 20,000,000 or 4% of the total worldwide annual turnover, whichever is higher, in the
cases of large companies
From EUR 2,000 to EUR 2,000,000 or 4% of the total worldwide annual turnover, whichever is higher, in the case
of SMEs
From EUR 1,000 to EUR 500,000, in the case of natural persons
Serious administrative offences shall be punishable with a fine:
From EUR 2,500 to EUR 10,000,000 or 2% of the total worldwide annual turnover, whichever is higher, in the
cases of large companies
From EUR 1,000 to EUR 1,000,000 or 2% of the total worldwide annual turnover, whichever is higher, in the
cases of SMEs
From EUR 500 to EUR 250,000, in the case of natural persons
However, that local supervisory authority issued the Decision 494/2019 deciding not to apply certain provisions of Law no
58/2019 of 8 aAugust, notably the ones related with the sanctions applicable to the administrative offenses as were
considered in contradiction with GDPR. As so, local supervisory authority, will apply the sanctions described in GDPR.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( an email addresseg,
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. In February 2021, the Council of the European Union agreed on a draft Regulation, opening the trilogue phase. It
is uncertain how long this phase will last and the ePrivacy Regulation is not expected to enter into force before 2023, therefore it
will not be applicable until at least 2025. In the meantime, GDPR Article 94 makes it clear that references to the repealed
Directive 95/46/EC will be replaced with references to the GDPR. As such, references to the Directive 95/46/EC standard for
consent in the ePrivacy Directive will be replaced with the GDPR standard for consent.
As established under Law 41/2004, of 18 August (as amended), sending unrequested communications for direct marketing
purposes to natural persons is subject to express prior consent of the subscriber or user (that is, the opt-in rule applies).
This includes use of automated calling and communications that do not rely on human intervention automatic call devices,
fax or electronic mail, including SMS, EMS, MMS and other similar applications.
As regards direct marketing communications to legal persons, these are allowed insofar as opt-out is offered. Legal
persons may refuse future communications and request registration in the non-subscribers list.
This does not prevent the supplier that has obtained its clients’ data and contacts in connection with the sale of a product
or service to use such data for direct marketing of its own products or services or products or services similar to the
ones provided.
Nevertheless, the supplier shall ensure that these clients are given the opportunity to object to the use of such data, free
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 855 | | | www.dlapiperdataprotection.com
of charge, clearly and explicitly, and in an easy manner, at the time of the respective collection, and on each message
(when the client did not opt-out initially upon collection of the data).
Moreover, sending electronic mail for direct marketing purposes via email where the identity of the sender is disguised or
concealed, as well as where there is no valid means of contact to send a request to stop these communications or
encouraging recipients to visit websites that violate these rules is strictly forbidden.
ONLINE PRIVACY
Cookie compliance
As determined by Law 41/2004, of 18 August, storage of data and the possibility of accessing data stored in a subscriber or
user terminal is only allowed if the subscriber or user has provided prior consent. Such consent must be based on clear
and comprehensive information.
This does not prevent technical storage or access for the sole purpose transmitting communications over an electronic
communication network, if strictly necessary for the provision of a service expressly requested by the subscriber or user.
Traffic Data
Traffic data must be erased or anonymized when no longer needed for the transmission of communications. Processing of
traffic data requires prior express consent and the user or subscriber shall be given the possibility to remove it at any
time. Such processing may only be carried out to the extent and for the time strictly necessary for the sale of electronic
communications services or the provision of other value-added services.
Processing of traffic data is admissible when required for billing and payment and only until the end of the period during
which the bill may lawfully be challenged or payment pursued.
Complete and accurate information on the type of data being processed must be provided, as well as the processing
purposes and duration and the possibility of disclosure to third parties for the provision of value added services.
Processing should be limited to workers or employees in charge of billing or traffic management, customer inquiries, fraud
detection, sale of electronic communications services accessible to the public, or the provision of value added services, as
well as to the strictly necessary information for the purposes of carrying out such activities.
Location Data
Processing of location data is allowed only if such data is anonymized or to the extent and for the time necessary for the
provision of value added services, provided that prior express consent was obtained. Prior information to the data
subjects must also be provided.
Companies must ensure there is an option to withdraw consent at any time, or to temporarily refuse the processing of
such data for each connection to the network or for each transmission of a communication, in a simple manner and free
of charge.
Non-compliance with these opt-in rules is considered an administrative offence, punishable with fines ranging from EUR
5,000 to EUR 5,000,000.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Portugal 856 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Joao Costa Quinta
Partner
T +351 213 583 620
Joao.Quinta@dlapiper.com
Margarida Leitão Nogueira
Senior Associate
T +351 213 583 620
margarida.nogueira@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Qatar 857 | | | www.dlapiperdataprotection.com
QATAR
Last modified 17 January 2022
LAW
Note: Please also see (a business center located on-shore in Qatar with its ownQatar — Financial Center Free Zone
regulations separate from those of the State of Qatar, including separate data protection regulations).
This overview is based on an unofficial English translation of the Law No. (13) of 2016 Concerning Personal Data
Protection. The Qatar government does not issue official English translations of the laws of the State of Qatar.
Qatar has implemented Law No. (13) of 2016 Concerning Personal Data Protection (” “). the Data Protection Law
With its Data Protection Law – adopted in 2016 – Qatar became the first Gulf Cooperation Council (GCC) member state to
issue a generally applicable data protection law.
The Data Protection Law is supplemented with a set of regulatory guidelines issued by the Compliance and Data Protection
Department. The guidelines incorporate concepts from EU privacy regulatory frameworks and seek to clarify obligations under,
and address matters that are not deal with in, the Data Protection Law. The introduction of these guidelines provide a mechanism
for which those subject to the Data Protection Law would be able to better understand their obligations under the Data
Protection Law and comply with its provisions more fully.
The Data Protection Law applies to personal data when this data is any of the following:
Processed electronically
Obtained, collected or extracted in any other way in preparation for electronic processing
Processed by combining electronic processing and traditional processing
The Data Protection Law provides that each individual shall have the right to privacy of their personal data. Such data may only be
processed within a framework of transparency, honesty, respect for human dignity and in accordance with the provisions of the
Data Protection Law.
DEFINITIONS
Definition of personal data
Personal data is defined under the Data Protection Law as data relating to a natural person whose identity is identified or is
reasonably identifiable, whether through this data or by means of combining this data with any other data or details.
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/qatar-financial-centre/law.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Qatar 858 | | | www.dlapiperdataprotection.com
Definition of sensitive personal data
Sensitive personal data means personal data consisting of information as to a natural person’s:
Ethnic origin
Health
Physical or mental health or condition
Religious beliefs
Relationships
Criminal records
NATIONAL DATA PROTECTION AUTHORITY
Compliance and Data Protection Department (CDP).
REGISTRATION
There is currently no requirement in Qatar for data controllers who process personal information to register with the regulator,
the CDP.
DATA PROTECTION OFFICERS
There is currently no obligation for organizations in Qatar to appoint a data protection officer. There is an obligation on the data
controller to specify processors responsible for protecting personal data, train them appropriately on the protection of personal
data and raise their awareness in relation to protecting personal data.
COLLECTION & PROCESSING
Generally, data subject consent is required to collect and process personal data, except to the extent processing is deemed
necessary for a lawful purpose of the controller, or the third party to whom the personal data is sent.
Lawful purpose is defined in the Data Protection Law as “the purpose for which the personal data of the data subject is being
processed in accordance with the law,” which includes cases where a data controller is processing personal data for legitimate
interests and specific purposes set forth under Data Protection Law as described below.
Prior to processing personal data, the data controller must notify the data subject of the following information:
The details of the data controller or another party who processes the data on behalf of the data controller
The lawful purpose for which the data controller or any third party wants to process the personal data
A comprehensive and accurate description of the processing activities and the degrees of disclosure of personal data for
the lawful purpose
Any other information deemed necessary and required for the satisfaction of personal data processing
The data controller is free to process data without the consent of the data subject or a lawful purpose in the following
circumstances:
The data processing is in the public interest. A data controller would process personal data in the public interest if it is
conducting a specific task in the public interest pursuant to applicable law or is exercising “official authority” (e.g., a public
body’s tasks, functions or duties) pursuant to applicable law
The data processing is required to meet a legal obligation. A data controller would be considered processing personal data
to meet a legal obligation where it is required to do so by virtue of the law or court order
The data processing is required to protect the data subjects vital interests. What constitutes as “vital interests” is applied
very narrowly to cases of “life and death” and on the basis of humanitarian grounds such as in relation to a pandemic /
epidemic. Further, this exemption is likely to arise in cases where data related health is being processed which is a
category of sensitive personal data (explored further below) and in which case, this exemption would only apply if the data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Qatar 859 | | | www.dlapiperdataprotection.com
subject is physically or legally incapable of providing consent and as such, explicit consent may be more appropriate in the
circumstances
The data processing is required for scientific research being conducted in the public interest. Cases involving the
processing of personal data for “scientific research in the public interests” should be interpreted broadly and would
include processing activities to further technological development or privately funded research
The data processing is required to investigate a crime, if officially requested by the investigating authorities
Sensitive personal data may not be processed except after obtaining authorization from the CDP. There is a high threshold for
processing this data and, amongst other things, a data controller would be required to:
Identify a permitted reason for processing sensitive personal data and an “additional condition” for processing activities
and these “additional conditions” include, but are not limited to, (i) processing with the data subject’s explicit consent or
parental consent (as may be relevant), (ii) the personal data is made public by the data subject; or (iii) the processing is
necessary in an employment context and would enable the data controller to fulfil their obligations as an employer
Complete a data protection impact assessment to identify, inter alia, the purpose and permitted reason for processing, the
potential damage / harm that can be caused to the data subject as a result of the processing activities and the risks to the
processing and methods / actions to mitigate such risks
Obtain permission from the CDP to process such personal data which may be conditioned on, inter alia, the data
controller evidencing to the CDP that it has the appropriate administrative, technical and financial precautions in place to
protect such special personal data
TRANSFER
Data controllers may collect, process and transfer personal data when the data subject consents, unless deemed necessary for
realizing a ‘lawful purpose’ for the controller or for the third party to whom the personal data is sent. The data controller has to
demonstrate, when disclosing and transferring personal data to the data processor, that the transfer is for a lawful purpose and
that the transfer of data is made pursuant to the provisions of the Data Protection Law.
Data controllers should not take measures or adopt procedures that may curb trans-border data flow, unless processing such data
violates the provisions of the Data Protection Law or will cause gross damage to the data subject. The Data Protection Law
defines ‘trans-border data flow’ as accessing, viewing, retrieving, using or storing personal data without the constraints of state
borders.
SECURITY
Data controllers must take appropriate technical and organizational measures to securely manage personal data.
The data controller must carry out the following procedures:
Review privacy protection procedures before implementing new processing operations
Specify the processors responsible for protecting the personal data
Train processors on the protection of personal data and raise their awareness relating to the same
Set up internal systems to receive and investigate complaints, data access requests, data correction or deletion requests
and provide the data subjects with information relating to the same
Set up internal systems for the effective management of personal data, and report any violation of the same with the aim
of safeguarding personal data
Adopt suitable technical means to enable individuals to exercise their rights to access, review and correct their personal
data directly
Carry out comprehensive review and checking of the commitment to protect personal data
Verify that the data processor abides by the instructions given to him/her or take suitable precautions to protect personal
data, and continually monitor that situation
The data controller and processor must take necessary precautions to protect personal data against loss, damage, amendment,
disclosure or access thereto or use thereof in an accidental or unlawful way. The Data Protection Law states the precautions
taken must be proportionate to the nature and importance of the personal data to be protected. Organizations should adopt best
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Qatar 860 | | | www.dlapiperdataprotection.com
practice methodologies in keeping with their business sector.
BREACH NOTIFICATION
There is an obligation on the data controller to notify the regulator, the CDP and the data subject of any breaches of the
measures to protect the data subject’s privacy if it is likely to cause damage to the data subject. The notification to the CDP and
the data subject must be made as soon as possible from the time the data controller becomes aware of the breach but in any
event, within 72 hours.
A personal data breach means a breach of security leading to an unlawful or accidental alteration, destruction, loss, unauthorised
disclosure of, or access to personal data. This would encompass both, accidental and deliberate breaches such as, theft or loss of
IT equipment, inadequate disposal of confidential files that may contain personal data material and using client data for a personal
gain. In assessing whether a breach would cause serious damage, the data controller should take into consideration whether the
breach would cause the data subject to be impacted negatively in various ways such as emotional distress, or physical or material
damage.
ENFORCEMENT
In Qatar, the CDP is responsible for the enforcement of the Data Protection Law. Any data subject may submit a complaint to the
CDP in the case of a violation of the Data Protection Law. The CDP will investigate the complaint and, if the complaint is found to
be valid, the CDP can oblige the data controller or processor to rectify the violation within a specified time period.
The CDP can also impose fines of up to 5 million (US$1.4 million) for violations of the Data Protection Law.
ELECTRONIC MARKETING
Unsolicited direct marketing is prohibited under the Data Protection Law, which requires prior consent to send electronic
marketing communications (including by wired or wireless communication). The consent of the data subject must be affirmative,
explicit and unambiguous. Indirect or implied consent by means of pre-ticked boxes may be deemed invalid.
All electronic marketing communications must include the identity of the sender and an indication that it is sent for the purpose of
direct marketing. The message must include an address that can easily be reached and must enable the recipient to send a message
requesting the sender to stop the electronic communication and enable the recipient to withdraw the consent at any time.
ONLINE PRIVACY
The Data Protection Law specifically regulates online privacy processing data in relation to children. Owners and operators of
websites must observe the followings requirements.
In relation to online privacy, data controllers must ensure they have in place a privacy notice to notify data subjects that they are
processing personal data. A privacy notice must generally include the following information:
Details of the data controller including its legal name, registered address and contact information
Details regarding third-party processors if any and in which case, the privacy notice should, inter alia, provide a description
of why the data processors are processing information on behalf of the data controller
The data controller’s purposes for processing personal data including the permitted reasons for doing so
A comprehensive and accurate description of the processing activities
The levels of disclosure for the permitted reasons for processing personal data or a general description
Any other information that is necessary for fulfilling conditions of personal data processing for e.g., general information on
how personal data is kept secure and a data subject’s rights and how they may be exercised
In relation to websites relating to children, a data controller should:
Place a notification on the website regarding how children’s data is used and its disclosure policies
Obtain express approval from the parents or guardian of the child before processing any personal data
Provide the child’s parent or guardian—upon request and after verifying the identity of the child’s parent or guardian—a
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Qatar 861 | | | www.dlapiperdataprotection.com
description of the personal data that is being processed, stating the purpose of the processing, and a copy of the child’s
data that is being collected and processed
Delete, erase, or suspend the processing of any personal data that was collected from the child or about the child, if the
child’s parent or guardian requests this, and
Refrain from making any child’s participation in a game or prize offer, or any other activity conditional on the child’s
submission of personal data which goes beyond what is required for the purposes of participation in the game or prize
offer
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Brenda Hill
Legal Director
T +974 4420 6126
brenda.hill@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Qatar – Financial Centre 862 | | | www.dlapiperdataprotection.com
QATAR – FINANCIAL CENTRE
Last modified 17 January 2022
LAW
Note: Please also see .Qatar
The Qatar Financial Centre (“QFC”), a business center located on-shore in Qatar with its own regulations that are separate and
distinct from those of the State of Qatar, implemented QFC Regulation No. 6 of 2005 on QFC Data Protection Regulations
(“DPL”).
Additionally, under the powers granted to the QFC Authority under Article 21 of the DPL, the QFC Authority has issued the
Data Protection Rules 2005 (DPR).
The QFC has issued a consultation on amendments to the DPL and DPR. Although there is no specific timeframe on when the
amendments to the DPL and DPR will be effective, we expect it will be reasonably soon. As a general comment, the proposed
changes are largely well drafted, provide increased clarity around the DPL and DRP as well as creating certain new obligations and
bring the QFC more closely in line with the position under the GDPR and other similar laws, which should assist international
businesses in taking a relatively uniform approach to their data compliance activities.
DEFINITIONS
Definition of data controller
Any person in the QFC who alone or jointly with others determines the purposes and means of the processing of personal data.
Definition of data processor
Any person who processes personal data on behalf of a data controller.
Definition of Identifiable Natural Person
Is a natural person who can be identified, directly or indirectly, in particular by reference to an identification number or to one or
more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
Definition of personal data
Any information relating to an identified natural person or an identifiable natural person.
Definition of processing
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/qatar/law.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Qatar – Financial Centre 863 | | | www.dlapiperdataprotection.com
Any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as
collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
Definition of sensitive personal data
Personal data revealing or relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union
membership and health or sex life.
NATIONAL DATA PROTECTION AUTHORITY
The Employment Standards Office at the QFC Authority is effectively the administrator of the DPL and DPR in the QFC.
Employment Standards Office
Qatar Financial Centre
Level 8, QFC Tower 1
Westbay
Doha, Qatar
eso@qfc.qa
Tel: +974 44967609
REGISTRATION
Unless certain exceptions apply, data controllers must obtain a permit from and provide notice to the QFC Authority prior to
processing sensitive personal data or transferring personal data outside of the QFC to a recipient who is not subject to laws or
regulations that ensure an adequate level of protection for that personal data.
DATA PROTECTION OFFICERS
There is no requirement under the DPL or the DPR for organizations to appoint a data protection officer. Though note the
general obligation of a data controller to implement appropriate technical and organizational measures to protect personal data, as
further detailed below (see ). It is however recommended that organizations that operates on a large scale orSecurity section
carries out regular and systematic monitoring of individuals appoint an individual responsible for overseeing the data controller’s
compliance with data protection requirements.
COLLECTION & PROCESSING
Data controllers may process personal data when any of the following conditions are met:
The data subject has given his/her unambiguous consent to the processing of that personal data (DPL, Article 7(1))
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at
the request of the data subject prior to entering into a contract (DPL, Article 7(2))
Processing is necessary for compliance with any legal obligation to which the data controller is subject (DPL, Article 7(3))
Processing is necessary in order to protect the vital interests of the data subject (DPL, Article 7(4))
Processing is necessary for the performance of a task carried out in the interests of the QFC, or in the exercise of the
QFC Authority, the QFC Regulatory Authority, the QFC Tribunal or Appeals Body functions or powers vested in the
data controller or in a third party to whom the personal data is disclosed (DPL, Article 7(5)), or
Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by the third party or
parties to whom the personal data is disclosed, except where such interests are overridden by compelling legitimate
interests of the data subject relating to the data subject’s particular situation (DPL, Article 7(6))
Data controllers may process sensitive personal data when any of the following conditions are met:
The data subject has given his/her explicit consent to the processing of that personal data (DPL, Article 8(1)(A))
Processing is necessary for the purposes of carrying out the obligations and specific rights of the data controller in the
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/qatar-financial-centre/security.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Qatar – Financial Centre 864 | | | www.dlapiperdataprotection.com
field of employment law (DPL, Article 8(1)(B))
Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is
physically or legally incapable of giving his/her consent (DPL, Article 8(1)(C))
Processing is carried out by a foundation, association or any other nonprofit-seeking body in the course of its legitimate
activities with appropriate guarantees that the processing relates solely to the members of the body or to persons who
have regular contact with it in connection with its purposes and that the personal data is not disclosed to a third party
without the consent of the data subjects (DPL, Article 8(1)(D))
The processing relates to personal data which is manifestly made public by the data subject or is necessary for the
establishment, exercise or defense of legal claims (DPL, Article 8(1)(E))
Processing is necessary for compliance with any legal obligation to which the data controller is subject (DPL, Article
8(1)(F))
Processing is necessary to uphold the legitimate interests of the data controller recognized in the international financial
markets, provided that such is pursued in accordance with international financial standards and except where such
interests are overridden by compelling legitimate interests of the data subject relating to the data subject’s particular
situation (DPL, Article 8(1)(G))
Processing is necessary to comply with auditing, accounting or anti-money laundering obligations that apply to a data
controller (DPL, Article 8(1)(H)), or
Processing is required for the purposes of preventive medicine, medical diagnosis, the provision of care or treatment or
the management of healthcare services, and where that personal data is processed by a health professional subject under
national laws or regulations established by national competent bodies to the obligation of professional secrecy or by
another person also subject to an equivalent obligation of secrecy (DPL, Article 8(1)(I))
TRANSFER
Data controllers may transfer personal data out of the QFC if the personal data is being transferred to a Recipient in a jurisdiction
that has laws and regulations that ensure an adequate level of protection for that personal data (DPL, Article 9(1)). The adequacy
of the level of protection ensured by laws and regulations to which the Recipient is subject to shall be assessed in light of all the
circumstances surrounding a personal data transfer operation or set of personal data transfer operations, including but not limited
to:
The nature of the data
The purpose and duration of the proposed processing operation or operations
If the data does not emanate from the QFC, the country of origin and country of final destination of the personal data
Any relevant laws to which the recipient is subject, including processional rules and security measures
In the absence of an adequate level of protection, data controllers may transfer personal data out of the QFC if any of the
following are true:
QFC Authority has granted a permit for the transfer or the set of transfers and the data controller applies adequate
safeguards with respect to the protection of this personal data (DPL Article 10(1)(A)). Article 3.2 of the DPR then sets
out the requirements for applying for such a permit (including a description of the proposed transfer of personal data for
which the permit is being sought and including a description of the nature of the personal data involved)
Data subject has given his / her unambiguous consent to the proposed transfer (DPL, Article 10(1)(B))
Transfer is necessary for the performance of a contract between the data subject and the data controller or the
implementation of pre-contractual measures taken in response to the data subject’s request (DPL, Article 10(1)(C))
Transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject
between the data controller and a third party (DPL, Article 10(1)(D))
Transfer is necessary or legally required on grounds important in the interests of the QFC, or for the establishment,
exercise or defense of legal claims (DPL, Article 10(1)(E))
Transfer is necessary in order to protect the vital interests of the data subject (DPL, Article 10(1)(F))
Transfer is made from a register which according to laws or regulations is intended to provide information to the public
and which is open to consultation either by the public in general or by any person who can demonstrate legitimate
interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case (DPL, Article
10(1)(G))
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Qatar – Financial Centre 865 | | | www.dlapiperdataprotection.com
Transfer is necessary for compliance with any legal obligation to which the data controller is subject (DPL, Article
10(1)(H))
Transfer is necessary to uphold the legitimate interests of the data controller recognized in the international financial
markets, provided that such is pursued in accordance with international financial standards and except where such
interests are overridden by legitimate interests of the data subject relating to the data subject’s particular situation (DPL,
Article 10(1)(I))
Transfer is necessary to comply with auditing, accounting or anti-money laundering obligations that apply to a data
controller which is established in the QFC (DPL, Article 10(1)(J))
Authorities who receive personal data in the context of a particular inquiry are not regarded as Recipients under the DPL or the
DPRs (as per the definition of Recipient in the DPL).
SECURITY
Data controllers must implement appropriate technical and organizational measures to protect personal data against accidental or
unlawful destruction or accidental loss, alteration, unauthorized disclosure or access and against all other unlawful forms of
processing, in particular where sensitive personal data is being processed or where the personal data is being transferred out of
the QFC to a jurisdiction without an adequate level of protection (DPL, Article 14(1)).
When applying for a permit to process sensitive personal data, or transfer personal data out of the QFC to a jurisdiction without
an adequate level of protection, data controllers must include detail regarding the safeguards employed to ensure the security of
such sensitive personal data/personal data (respectively, Articles 2.1.1(I) and 3.2.1(I) of the DPR).
The measures implemented ought to ensure a level of security appropriate to the risks represented by the processing and the
nature of the personal data to be protected (DPL, Article 14(2)).
BREACH NOTIFICATION
There is no requirement under the DPL and nor the DPR to inform the QFC Authority of any breaches of personal data
databases. It is nevertheless recommended that a data controller notifies the QFC Authority and the concerned data subjects of
events of breach as soon as practicable and in any event, within 72 hours from the time the data controller becomes aware of
such breach.
ENFORCEMENT
In the QFC, the ESO oversees the enforcement of the DPL.
If the QFC Authority is satisfied that a data controller has contravened or is contravening the DPL or DPR, the QFC Authority
may issue a direction to the data controller requiring it to do either or both of the following:
To do or refrain from doing any act or thing within such time as may be specified in the direction (DPL, Article 22(1)(A))
To refrain from processing any personal data specified in the direction or to refrain from processing personal data for a
purpose or in a manner specified in the direction (DPL, Article 22(1)(B))
A data controller may file an appeal against a decision by the QFC Authority to issue a direction pursuant to DPL, Article 22(1) at
the QFC Tribunal (DPL, Article 22(3)).
ELECTRONIC MARKETING
Immediately upon collecting personal data, the DPL requires data controllers to provide data subjects who they have collected
personal data from, with, among other things, any further information to the extent necessary (having regard to the specific
circumstances in which the personal data is collected). This includes information on whether the personal data will be used for
direct marketing purposes (DPL, Article 11).
If the personal data has not been obtained from the data subject, the data controller or their representative must at the time of
undertaking the recording of personal data – or if it is envisaged that the personal data will be disclosed to a third party, no later
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Qatar – Financial Centre 866 | | | www.dlapiperdataprotection.com
than when the personal data is first recorded or disclosed – provide the data subject with, among other things, information
regarding whether the personal data will be used for direct marketing purposes (DPL, Article 12).
Before personal data is disclosed for the first time to third parties or used on a data subject’s behalf for the purposes of direct
marketing, data subjects also have the right to be informed and to be expressly offered the right to object to such disclosures or
uses (DPL, Article 16(1)(B)).
Additionally, the DPL requires a data controller to record various types of information regarding its personal data processing
operations (Article 17(1) and 2(A)). This must include an explanation of the purpose for the personal data processing (DPR,
Article 4(1)(B)). The DPR suggests that one of these purposes may be for advertising, marketing and public relations for the data
controller itself or for others (Article 4.1(e)).
ONLINE PRIVACY
The DPL or DPR do not contain specific provisions relating to online privacy, however, the broad provisions detailed above are
likely to apply. In addition, as Qatar criminal law applies in the QFC, the privacy principles laid out therein may apply (see ).Qatar
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Brenda Hill
Legal Director
T +974 4420 6126
brenda.hill@dlapiper.com
Elias Al-Far
Associate
T +974 4420 6125
elias.al-far@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/qatar/law.html
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Republic of Congo 867 | | | www.dlapiperdataprotection.com
REPUBLIC OF CONGO
Last modified 21 February 2022
LAW
The protection of personal data is governed by the law on the protection of data with a personal character N° 29 – 2019 of 10
October 2019 and was published in the official journal on 7 November 2019 (the ” ). The Law entered into force on the dateLaw”
of its approval (25 November 2020).
Beside the Law, there are several sectoral laws or decrees that contain data protection aspects (on cybersecurity, mobile
telecommunications, etc.)
DEFINITIONS
Definition of Personal Data
Any information relating to a natural person identified or identifiable directly or indirectly, by reference to an identification
number or identifiable on the basis of one or more elements specific to his/her physical, physiological, genetic, psychological,
cultural, social or economic identity.
Definition of Sensitive Personal Data
tic data, data relating to minors, data relating to offences, criminal convictions or security measures, biometric data and, all
personal data revealing ethnic origin, parentage, political opinions, religious or philosophical beliefs, trade union membership,
gender, health and sex life.
NATIONAL DATA PROTECTION AUTHORITY
The Law provides for the creation of a national data protection Commission by a separate law. This Commission plays an
important role in the Law and its application. However, we are not aware this Commission has been established.
REGISTRATION
The Law requires, save for some exceptions, that the processing of personal data must be notified to the Commission. The
Commission provides a confirmation of receipt of the notification after which the entity that made the notification can start
processing personal data. If some of the data or sensitive personal data and the processing is not prohibited, a prior authorisation
is to be obtained from the Commission. The Commission renders a decision within two months after receipt of the request to
process certain sensitive personal data.
DATA PROTECTION OFFICERS
A data protection officer needs to be appointed when the data procession is done by (i) a(délégué à la protection des données)
public entity, (ii) the nature of the data processing because of its nature, purpose or nature require a regular and systematic
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Republic of Congo 868 | | | www.dlapiperdataprotection.com
follow-up, or (iii) when the data processing is on a large scale for particular data.
COLLECTION & PROCESSING
The collection and processing of personal data can only be carried out with the prior and explicit consent of the person
concerned. Some exceptions apply when the processing is for valid legal reasons, in the public interest, for the performance of an
agreement or to protect the fundamental rights of the person concerned.
TRANSFER
Cross-border transfer of personal data is only allowed if the receiving state offers a similar protection of personal data and the
Commission is notified in advance of the intention to transfer data to a third country.
SECURITY
The Law provides for a detailed overview of security measures that must be taken by the processor of personal data in order to
secure the personal data.
BREACH NOTIFICATION
The processor of personal data must in case of a breach of the security inform the Commission without delay and at the latest
within 72 hours after it identified the breach.
Mandatory breach notification
It is mandatory to notify every breach to the Commission, however, the 72 hours deadline does not apply in case there is no risk
for the rights of the persons concerned. The breach must still be notified, but it must be explained why the breach was notified
more than 72 hours after the identification of the breach.
The persons concerned must also informed of the breach if it poses an important risk for its rights.
ENFORCEMENT
No known cases as far as we know. The Commission is not yet established.
Criminal sanctions apply as well as fines ranging from USD 1,800 to 180,000.
ELECTRONIC MARKETING
Regulated by separate law.
ONLINE PRIVACY
Regulated by separate law.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Republic of Congo 869 | | | www.dlapiperdataprotection.com
KEY CONTACTS
PKM Africa
www.lawpkm.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Sophie Kabano Niwese
Partner
PKM Africa
T +32 476 080 079
sophie.kabano@lawpkm.com
Yves Brosens
Partner
PKM Africa
T +32 472 582 000
yves.brosens@lawpkm.com
https://www.dlapiperdataprotection.com
https://www.lawpkm.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 870 | | | www.dlapiperdataprotection.com
ROMANIA
Last modified 17 January 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) is a European Union law which entered into force in
2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on
May 25, 2018, without requiring implementation by the EU Member States through national law.
A regulation (unlike the directive which it replaced) is directly applicable and has consistent effect in all Member States. However,
there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their own
domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among the
Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An establishment may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extraterritorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
offering of goods or services” (no payment is required) to such data subjects in the EU or “the monitoring of their behaviour” as
far as their behaviour takes place within the EU.
Law no. 190/2018 on the measures for the application of Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the
free movement of such data, and repealing Directive 95/46/EC (“Law no. 190/2018”) was published in the Official Gazette
no. 651/26.07.2018 and became applicable on July 31, 2018.
Law no. 190/2018 regulates, among others, the following activities, in addition to providing certain derogations and a
framework related to the sanctions applicable to public authorities and public bodies:
Processing of genetic data, biometric data or health data
Processing of a national identification number
Processing of personal data in the context of employment relationships
Processing of personal data and of special categories of personal data within the performance of a task carried out
in the public interest
DEFINITIONS
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 871 | | | www.dlapiperdataprotection.com
Personal data is defined as “any information relating to an identified or identifiable natural person.” A low bar is set for
identifiable – if the natural person can be identified using “all means reasonably likely to be used” the information is personal data.
A name is not necessary either – any identifier will do, such as an identification number, phone number, location data or other
factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of of personal data (including data relating tospecial categories
race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal convictions
and offences.
The GDPR is concerned with the of personal data. Processing has an extremely wide meaning, and includes any set ofprocessing
operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a or a . The controller is the decision maker, the person whocontroller processor
“alone or jointly with others, determines the purposes and means of the processing of personal data.” The processor “processes
personal data on behalf of the controller,” acting on the instructions of the controller. In contrast to the previous law, the GDPR
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The is a living, natural person whose personal data are processed by either a controller or a processor.data subject
Law no. 190/2018 does not provide any specific definitions with respect to personal data, as this term is already defined by
the GDPR. However, the following relevant definitions are included:
“Public authorities and bodies” means the Chamber of Deputies and the Senate, the Presidential Administration,
the Government, the ministries, other specialized bodies of the central public administration, autonomous public
authorities and institutions, local and county public administration authorities, other public authorities, as well as
any institutions subordinated / coordinated by such authorities. Religious establishments, organisations and
foundations of public service are considered public authorities / bodies.
“National identification number” means the number by which an individual is identified in certain record systems
and which has general applicability, such as: (i) personal identification number, (ii) serial number and identity card
number, (iii) passport number, (iv) driving license, and (v) social health insurance number.
“Remediation plan” means an annex to the report for finding and sanctioning misdemeanours, drafted by the
National Supervisory Authority for Personal Data Processing (hereinafter referred to as ANSPDCP) setting
remediation measures and terms.
“Remediation measure” means a solution imposed by ANSPDCP in the remediation plan, in view of ensuring the
compliance of the public authority/body with the obligations provided by the law.
“Remediation term” means a time period of maximum 90 days calculated from the moment when the report for
finding and sanctioning misdemeanours is communicated, in which the public authority/body may undertake
remedial actions in order to correct any irregularities assessed by ANSPDCP and comply with its legal obligations.
All definitions included by the GDPR in Article 4 are applicable and have the same meaning as in Law no. 190/2018.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (similar to the CNIL
in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the GDPR.
The GDPR creates the concept of ” .” Where there is cross-border processing of personal data (lead supervisory authority ie
, processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 872 | | | www.dlapiperdataprotection.com
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by, and answer to, the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority.”
However, the lead supervisory authority is required to cooperate with all other concerned authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory. ead supervisory authority is therefore of somewhat limited use to multinationals.
The National Supervisory Authority For Personal Data Processing
(in Romanian ‘Autoritatea Nationala de Supraveghere a Prelucrarii Datelor cu Caracter Personal’ or ‘ANSPDCP’)
28 30 Magheru Blvd
District 1, Bucharest
T +40 318 059 211
F +40 318 059 602
www.dataprotection.ro
REGISTRATION
There are no EU-wide systems of registration or notification, and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities ( , processing ofeg
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment constitutes a notification requirement. In addition, each controller or processor
must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority.
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities, which must contain specific details about personal data processing
carried out within an organization and must be provided to supervisory authorities on request. This is a sizeable operational
undertaking.
All obligations in respect of notifying ANSPDCP of the processing of personal data were repealed on May 25, 2018 (when
GDPR came into force).
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer (DPO) if it satisfies one or more of the following
tests:
It is a public authority
Its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale
Its core activities consist of processing sensitive personal data on a large scale
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities,
provided that the data protection officer is easily accessible from each establishment (meaning that larger corporate groups may
find it difficult in practice to operate with a single data protection officer).
DPOs must have of data protection law and practices, though it is possible to outsource the DPO role to aexpert knowledge
service provider.
https://www.dlapiperdataprotection.com
http://www.dataprotection.ro
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 873 | | | www.dlapiperdataprotection.com
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which
relate to the protection of personal data,” and the DPO must directly report to the highest management level, must not be told
what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks.
The specific tasks of the DPO, set out in GDPR, include:
To inform and advise on compliance with GDPR and other Union and Member State data protection laws
To monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff
To advise and monitor data protection impact assessments where requested
To cooperate and act as point of contact with the supervisory authority
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
In addition to the requirements provided by the GDPR in Articles 37 to 39, Law no. 190/2018 provides that a data
protection officer (DPO) must be designated whenever the entity acting as controller is processing a national identification
number, including by collecting or disclosing any documents enclosing such national identification number, when the
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, in
accordance with the provisions of Article 6 paragraph 1 letter (f) of the GDPR.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be:
Processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”)
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”)
Adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
Accurate and where necessary kept up to date (the “accuracy principle”)
Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”)
Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”)
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance for potentially years after a particular decision relating to processing personal data was rendered.demonstrate
Record-keeping, auditing and appropriate governance will all play a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
With the consent of the data subject (where consent must be “freely given, specific, informed and unambiguous,” and must
be capable of being withdrawn at any time)
Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 874 | | | www.dlapiperdataprotection.com
Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
Where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies)
Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller
Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)
Special Category Data
Processing of special category data is prohibited, except where one of the following exemptions applies (which, in effect, operate
as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 basis):
With the explicit consent of the data subject
Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement
Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent
In limited circumstances by certain not-for-profit bodies
Where processing relates to the personal data which are manifestly made public by the data subject
Where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity
Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards
Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices
Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1)
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law.
Processing for a Secondary Purpose
Increasingly, organisations wish to re-purpose personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected. These include:
Any link between the original purpose and the new purpose
The context in which the data have been collected
The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions
are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
The possible consequences of the new processing for the data subjects
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 875 | | | www.dlapiperdataprotection.com
The existence of appropriate safeguards, which may include encryption or pseudonymisation
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, that is, the right for a data subject to understand how and why his or
her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet
easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language.
The following information must be provided at the time the data are obtained:
The identity and contact details of the controller
The data protection officer’s contact details (if there is one)
Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing
The recipients or categories of recipients of the personal data
Details of international transfers
The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability
Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
The consequences of failing to provide data necessary to enter into a contract
The existence of any automated decision making and profiling and the consequences for the data subject
In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information
Somewhat different requirements apply where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 876 | | | www.dlapiperdataprotection.com
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( , commonly used file formats recognised by mainstream software applications, such as .xsl).eg
Right to object
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly
significantly affects him or her” is only permitted where:
Necessary for entering into or performing a contract
Authorized by EU or Member State law
The data subject has given their explicit ( , opt-in) consentie
Further, where significant automated decisions are taken on the basis of first or third grounds above, the data subject has the right
to obtain human intervention, to contest the decision, and to express his or her point of view.
1. Processing genetic data, biometric data or health data
The processing of genetic, biometric or health data for the purpose of achieving an automated decision-making process or
for profiling purposes is permitted only with the explicit consent of the data subject or if the processing is performed
based on express legal requirements, with the obligation to implement adequate measures for the protection of the rights,
freedoms and legitimate interests of the data subject. Law no. 190/2018 does not specify or provide any examples with
respect to what type of measures should be implemented in view of the processing.
Law no. 190/2018 expressly allows the processing of health data for the purpose of public health, as defined under
Regulation (EC) No 1338/2008 of the European Parliament and of the Council of 16 December 2008 on Community
statistics on public health and health and safety at work. However, subsequent processing of such data may not be
performed for other purposes by third parties.
2. Processing a national identification number
Law no. 190/2018 provides that processing a national identification number, including by collecting or disclosing any
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 877 | | | www.dlapiperdataprotection.com
1.
2.
3.
4.
5.
6.
7.
documents enclosing such national identification number, may be carried out in the situations provided for in Article 6 (1)
of the GDPR. However, where processing is based on the legitimate interests pursued by the controller or by a third
party (i.e. Article 6 (1) (f) of the GDPR), the processing activities may be carried out only if the following guarantees have
been implemented by the controller:
Adequate technical and organizational measures to observe, in particular, the principle of data minimization and to
ensure the security and confidentiality of personal data processing, according to the provisions of art. 32 of the
GDPR;
The appointment of a DPO;
Establishment of retention terms in accordance with the nature of the personal data and the purpose of the
processing, as well as specific deadlines in which personal data must be deleted or revised in order to be deleted;
Regular training of the personnel processing personal data under the direct authority of the controller or
processor.
3. Processing personal data in the context of employment relationships
The electronic monitoring and / or video surveillance systems of employees at the workplace based on the legitimate
interests of the employer is / are permitted only if the following apply:
The legitimate interests pursued by the employer are thoroughly justified and prevail over the interests or rights
and freedoms of the data subjects;
The employer has made the compulsory, complete and explicit prior information to the employees;
The employer consulted the relevant trade union or, where applicable, the employees’ representatives prior to
the introduction of the monitoring systems;
Other less intrusive forms and ways to achieve the goal pursued by the employer have not previously proved
their effectiveness;
The retention duration of personal data is proportional to the purpose of processing, but not more than 30 days,
except for situations expressly governed by law or in duly justified cases.
4. Processing of personal data for journalistic purposes or for the purpose of academic,
artistic or literary expression
According to Law no. 190/2018, in view of ensuring a balance between the right to personal data protection, freedom of
expression and the right to information, processing of personal data for journalistic purposes, or for the purposes of
academic, artistic or literary expression may be performed if such processing refers to personal data which were
manifestly made public by the data subject or which are strongly connected to the quality of public person of the data
subject or to the public nature of the facts in which the data subject is involved, by derogation from the following chapters
of the GDPR:
Chapter II – Principles
Chapter III – Rights of the data subject
Chapter IV – Controller and processor
Chapter V – Transfers of personal data to third countries or international organizations
Chapter VI – Independent supervisory authorities
Chapter VII – Cooperation and consistency
Chapter IX – Provisions relating to specific processing situations
5. Processing of personal data for scientific or historical research purposes, statistical
purposes or archiving in the public interest purposes
According to Law no. 190/2018 Articles 15, 16, 18 and 21 of the GDPR do not apply in case personal data are processed
for scientific or historical research purposes or statistical purposes, to the extent the rights mentioned in these Articles
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 878 | | | www.dlapiperdataprotection.com
are likely to render impossible or seriously impair the achievement of the objectives of the processing, and such
derogations are necessary for achieving such objectives. These derogations are applied only with respect to archiving
purposes in the public interest, scientific or historical research purposes or statistical purposes and not with respect to
other purposes for which the personal data may be used. Articles 15, 16, 18, 19, 20 and 21 GDPR do not apply in cases
where personal data is processed for archiving purposes in the public interest to the extent that the rights mentioned in
those Articles are likely to render impossible or seriously impair the achievement of the objectives of the processing, and
such derogations are necessary for achieving such objectives. These derogations are applicable only with respect to
scientific or historical research purposes and for archiving in the public interest purposes, and not with respect to other
purposes for which the personal data may be used. Both these derogations are applicable only if appropriate safeguards
for the rights and freedoms of data subjects are implemented, in accordance with Article 89(1) GDPR.
6. Processing of personal data and special categories of personal data by political parties,
national minorities organisations and non-governmental organisations for the purpose of
fulfilling their objectives
Processing of personal data and special categories of personal data by political parties, national minorities organisations
and non-governmental organisations for the purpose of fulfilling their objectives can be done without the explicit consent
of the personal data but with the application of the following:
The information of data subjects on the processing of personal data;
Guaranteeing the transparency of the information, of the communications and of the manner in which data
subjects can exercise their rights;
Guaranteeing the right to rectification and the right to erasure.
TRANSFER
Transfers of personal data by a controller or a processor to countries outside of the EU (and Norway, Liechtenstein and Iceland)
are only permitted when certain conditions are met.
The European Commission has the power to make an adequacy decision in respect of non-EU countries, determining that it
provides for an adequate level of data protection, and thereby permitting personal data to be freely transferred to that country.
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes, among other things, binding corporate rules, standard contractual clauses, and the EU-US Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where any of the following
apply:
Explicit informed consent has been obtained
The transfer is necessary for the performance of a contract or the implementation of pre-contractual measures
The transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person
The transfer is necessary for important reasons of public interest
The transfer is necessary for the establishment, exercise or defence of legal claims
The transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained
The transfer is made from a register which according to EU or Member State law is intended to provide information to
the public, subject to certain conditions.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 879 | | | www.dlapiperdataprotection.com
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject. Notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU are only recognized or
enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in force
between the requesting third country and the EU or Member State; a transfer in response to such requests where there is no
other legal basis for transfer will infringe the GDPR.
No specific provisions / derogations are provided by Law no. 190/2018 with respect to personal data transfers.
SECURITY
The GDPR does not prescribe specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A one-size-fits-all
approach is therefore the antithesis of this requirement.
However, the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
The pseudonymization and encryption of personal data
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident
A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for
ensuring the security of the processing
No specific provisions / derogations are provided by Law no. 190/2018 with respect to the security measures to be
undertaken by controllers / processors.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed.”
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay.
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach.
The notification to the supervisory authority must include where possible:
The categories and approximate numbers of individuals and records concerned
The name of the organisation’s data protection officer or other contact
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 880 | | | www.dlapiperdataprotection.com
The likely consequences of the breach and the measures taken to mitigate harm
Controllers are also required to keep a record of all data breaches (whether or not notified to the supervisory authority) and
permit audits of the record by the supervisory authority.
No specific provisions / derogations are provided by the Law no. 190/2018 with respect to the notification of a personal
data security breach. However, where data controllers notify a personal data breach to ANSPDCP, a special notification
form must be filled out and submitted.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or €20 million
(whichever is higher).
The European Commission intends that fines should, where appropriate, be imposed by reference to the revenue of an economic
undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that undertaking
should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which
prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the Treaty does not
define undertaking and the case law is not entirely straightforward, with decisions often turning on the specific facts of each case.
However, in many competition cases, group companies have been regarded as part of the same undertaking. The assessment will
turn on the facts of each case, and the first test cases under the GDPR will need to be scrutinized carefully to understand the
interpretation of undertaking. Under EU competition law case law, there is also precedent for regulators to impose joint and
several liability on parent companies for fines imposed on subsidiaries in some circumstances (broadly where there is participation
or control), under a theory so-called look through liability. Again, it remains to be seen whether there will be a direct read-across
of this principle into GDPR enforcement.
Fines are split into two broad categories. The highest fines of up to €20 million or, in the case of an undertaking, up to 4% of total
worldwide turnover of the preceding year, whichever is higher, apply to infringement of any of the following:
The basic principles for processing including conditions for consent
Data subjects’ rights
International transfer restrictions
Any obligations imposed by Member State law for special cases such as processing employee data
Certain orders of a supervisory authority
The lower category of fines of up to €10 million or, in the case of an undertaking, up to 2% of total worldwide turnover of the
preceding year, whichever is the higher, apply to infringement of any of the following:
Obligations of controllers and processors, including security and data breach notification obligations
Obligations of certification bodies
Obligations of a monitoring body
Supervisory authorities are not required to impose fines, but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive.
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers including the power to undertake on-site data
protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 881 | | | www.dlapiperdataprotection.com
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
Any person who has suffered material or non-material damage as a result of a breach of the GDPR has the right to receive
compensation from the controller or processor. The inclusion of non-material damage means that individuals will be able
to claim compensation for distress even where they are not able to prove financial loss.
Data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf.
Individuals also enjoy the right to lodge a complaint with a supervisory authority.
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision.
Data subjects enjoy the right to an effective legal remedy against a controller or processor.
ANSPDCP is entitled to investigate any breach of the GDPR provisions or following a complaint filed by aex officio
prejudiced data subject. The procedure on how ANSPDCP investigations can be conducted is provided by ANSPDCP
Decision no. 161/2018.
Law no. 190/2018 provides specific rules with respect to enforcement. Specifically, ANSPDCP may issue written warnings
and apply fines.
Misdemeanours committed by public authorities / bodies can be sanctioned with a fine ranging between RON 10,000
(approx. EUR 2,100) to RON 200,000 (approx. EUR 42,000).
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data ( , an email addresseg
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time.
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (“ePrivacy Directive”), as transposed into the local laws of each Member State. The ePrivacy Directive is to be
replaced by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has
discarded its draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In
the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced by references
to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with
the GDPR standard for consent.
The processing of personal data for electronic marketing purposes is regulated under Law no. 506/2004, on the
processing of personal data in the electronic communications sector implementing Directive 2002/58/CE (“Law no.
506/2004”).
According to this law, it is forbidden to send commercial communications by using automatic call and communication
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 882 | | | www.dlapiperdataprotection.com
systems that do not require the intervention of a human operator, by fax or by electronic mail or any other method
employing publicly available electronic communications services, except where the subscriber or user of a publicly
electronic communications service has expressly consented in advance to receive such communications.
However, in cases where a natural or legal person has directly obtained the email address of a client upon the sale or
provision of a product or service, the natural or legal person may use the respective address for the purpose of sending
commercial communications regarding similar products or services, provided that clients are clearly and expressly offered
the possibility to oppose by way of an easily accessible and free-of-charge method, not only when the email address is
collected but also with each commercial communication received, in a case where the customer has not initially objected.
ONLINE PRIVACY
The processing of traffic data, location data and the implementation of cookies is regulated under Law no. 506/2004.
Traffic data
Traffic data relating to subscribers and users processed and stored by the provider of a public electronic communications network
or publicly available electronic communications service must be erased or made anonymous when it is no longer needed for the
purpose of the transmission of a communication, but no later than three years from the date of such a communication.
However, traffic data may be retained for the purpose of marketing the services offered to data subjects, or in view of the
provision of value-added services, solely throughout the marketing period and provided that data subjects have previously
consented to the processing of traffic data. Data subjects may withdraw such consent at any time. The provider of publicly
available electronic communication services must inform data subjects in respect of the processed categories of traffic data, and
the duration of processing, prior to obtaining their consent.
The processing of traffic data for billing purposes or the establishment of payment obligations for interconnection is permitted
solely for a period of three years following the due date of the respective payment obligation. The provider of publicly available
electronic communication services must inform data subjects in respect of the processed categories of traffic data and the
duration of processing.
The processing of traffic data for the establishment of contractual obligations of the communication services subscribers, with
payment in advance, is permitted solely for a period of three years following the date of the communication.
The processing of traffic data as mentioned above may be done only by persons acting under the authority of providers of public
electronic communications networks or of publicly available electronic communications services for:
Management of billing and traffic
Dealing with enquiries of data subjects
Prevention of fraud, or
The provision of communication services or value added services,
and it is permitted only if it is necessary to fulfil such purpose.
Location data, other than traffic data
The processing of location data, other than traffic data is permitted when:
Data is rendered anonymous
Data subjects have explicitly and consented prior to such processing for the duration necessary for the performance of
value added services, or
The purpose of the value-added service is the unidirectional and nondifferentiated transmission of information towards
users.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 883 | | | www.dlapiperdataprotection.com
The provider of publicly available electronic communications services must inform the users or subscribers, prior to obtaining
their consent, in respect of the type of location data which will be processed, of the purposes and duration of the processing and
whether the data will be transmitted to a third party for the purpose of providing the value added service. Users or subscribers
shall be given the possibility to withdraw their consent at any time. Where consent of the users or subscribers has been obtained
for the processing of location data other than traffic data, the provider of publicly available electronic communications services
must grant users the possibility, using a simple and free of charge means, of withdrawing consent or of temporarily refusing the
processing of such data for each connection to the network or for each transmission of a communication.
Cookies
The storing of cookies on user terminals is permitted, subject to the following cumulative conditions:
Subscribers or users have expressly consented thereto (Law no. 506/2004 also provides that consent may be given by way
of browser settings or other similar technologies)
The information requirements provided by Data Protection Law have been complied with in a clear and user-friendly
manner, to include references regarding the purpose of processing of the information stored by users.
Should the service provider allow the storing of third-party cookies within a user’s computer terminal, the user will have to be
informed about the purpose of such processing and the manner in which browser settings may be adjusted in order to refuse
third-party cookies.
Consent is not required where cookies are:
Used for the sole purpose of carrying out the transmission of a communication over an electronic communications
network, or
Strictly necessary for the provision of an information service expressly requested by the subscriber or the user.
Failure to comply with the requirements of Law no. 506/2004 is classified as a minor offence and is sanctionable with fines ranging
from approx. EUR 1,000 to EUR 21,000 . In the case of companies whose turnover exceeds approximately EUR 1.05 million, the
amount of fines may reach up to 2% of the respective company’s turnover.
Upon request of the courts of law, of the criminal prosecution authorities or of the authorities competent in the area of national
defence and security with the prior approval of the judge, providers of publicly available electronic communication services and
providers of public electronic communications networks shall make available, as soon as possible, but no later than 48 hours,
traffic data, data regarding user terminals, as well as geolocation data.
KEY CONTACTS
DATA PRIVACY TOOL
Ana-Maria Andronic
Head of Intellectual Property and Technology
T +40 372 155 816
anamaria.andronic@dlapiper.com
Corina Badiceanu
Managing Associate
T +40 372 155 853
corina.badiceanu@dlapiper.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Romania 884 | | | www.dlapiperdataprotection.com
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Russia 885 | | | www.dlapiperdataprotection.com
RUSSIA
Last modified 15 January 2021
LAW
Fundamental provisions of data protection law in Russia can be found in the Russian Constitution, international treaties and
specific laws. Russia is a member of the Strasbourg Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data (Convention) (ratified by Russia in 2006) and the Russian Constitution establishes the right to privacy
of each individual (articles. 23 and 24). Most rules are found in specific legislation, particularly the Data Protection Act No. 152 FZ
dated 27 July 2006 (DPA) and various regulatory acts adopted to implement the DPA as well as other laws, including the
Information, Information Technologies and Information Protection Act No. 149 FZ dated 27 July 2006 establishing basic rules as to
the information in general and its protection. In addition, the Russian Labour Code contains provisions on the protection of
employees’ personal data (Part XIV). Other laws may also contain data protection provisions which implement the provisions of
DPA in relation to specific areas of state services or industries.
On 22 July 2014 notable amendments to the DPA were adopted and came into force on 1 September 2015. The amendments
require all personal data operators to store and process any personal data of Russian individuals within databases located in Russia
(subject to few exceptions). The penalty for violation of this requirement is ultimately the blocking of websites involving unlawful
handling of Russian personal data. A Register of Infringers of Rights of Personal Data Subjects shall be established by the
and from there and the may move to block websites.Roscomnadzor Roscomnadzor
As the amendments are newly passed and a track record of enforcement and legal interpretation has not been established, it is
still unclear as to how this register and the website blocking would work in practice. According to clarifications of Russian
regulators, storing and processing of personal data of Russian individuals outside of Russia can still be compliant with the law as
long as primary (often interpreted as initial) storage and processing of data is done in Russia. It is still an open question whether
keeping “mirror” databases in Russia and elsewhere would be deemed as compliant.
DEFINITIONS
Definition of personal data
Personal data is defined in law as any information that relates directly or indirectly to the specific or defined physical person (the
data subject). This can be widely interpreted in various contexts, so it is important to consider each situation carefully.
Definition of sensitive personal data
Sensitive personal data is defined as special categories of personal data in Russian legislation. Such special categories include data
related to race, national identity, political opinions, religious and philosophical beliefs, health state, intimacies and biometrical data.
NATIONAL DATA PROTECTION AUTHORITY
Federal Service for Supervision of Communications, Information Technologies and Mass Media or, in short, Roscomnadzor
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Russia 886 | | | www.dlapiperdataprotection.com
(‘Agency’)
Build. 2, 7, Kitaigorodskiy proezd
Moscow, 109074
T +7 495 987 6800
F +7 495 987 6801
http://www.rsoc.ru/
REGISTRATION
The Agency is in charge of maintaining the Registry of Data Controllers.
Any data controller shall notify the Agency in writing about its intention to process personal data, unless one of the following
exclusions applies:
the personal data is exclusively data about employees;
the personal data was received in connection with a contract entered into with the data subject, provided that such data is
not transferred without the consent of the data subject, but used only for the performance of the contract and entering
into contracts with the data subject (for example, data provided by a customer purchasing a product online and the data is
used only to fulfil the order);
the personal data is the data about members of a public or religious association and processed by such an organisation for
lawful purposes in accordance with their charter documents, provided that such data is not transferred without the
consent of the data subjects;
the personal data was made publicly accessible data by the data subject;
the personal data includes the surname, name and father’s name only (Russia uses patronymic references in place of
“middle” names);
the personal data is necessary in order to give single access to the premises of the data controller or for other similar
purposes;
the personal data is included in state automated information systems or state information systems created for the
protection of state security and public order;
the personal data is processed in accordance with the law without any use of automatic devices; or
the personal data is processed in accordance with transportation security legislation for the purposes of procurement of
stable and secure transport complex and personal, community and state interests protection.
The notification letter shall contain information about:
the full name and address of the data controller;
the purpose of the processing;
the categories of personal data processed;
the categories of the subjects whose personal data is processed;
the legal grounds for processing;
the types of processing of the personal data;
the measures of protection of personal data;
name and contact information of the physical person or legal entity responsible for personal data processing;
the commencement date;
information on occurrence of cross border transfer of personal data;
the term of processing or the conditions for termination of processing the personal data; and
information on personal data security provision.
DATA PROTECTION OFFICERS
If the data controller is a legal entity, it is required to appoint a data protection officer. Such an appointment is considered to be a
personal data protection measure. The data protection officer oversees compliance by the data controller and its employees
https://www.dlapiperdataprotection.com
http://www.rsoc.ru/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Russia 887 | | | www.dlapiperdataprotection.com
regarding the data protection issues, informs them of statutory requirements and organises the receiving and processing of
communications from data subjects.
There are no legal restrictions as to whether the data protection officer should be a citizen or resident of the Russian Federation,
however, it is adviseable that the data protection officer is available in case there is an inspection or other communication from
the authorities.
Non-appointment or improper appointment of the data protection officer is a violation of the data protection regime and may
result in the imposition of penalties and enforcement protocols, as described below.
COLLECTION & PROCESSING
Data controllers may collect and process personal data where any of the following conditions are met:
the data subject consents;
the processing is required by a federal law or under an international treaty;
the processing is required for administration of justice, execution of a court order or any other statements of public
officers to be executed;
the processing is required for provision of state or municipal services;
the data controller needs to process the data to perform or conclude a contract to which the data subject is a party or
beneficiary party or guarantor;
the processing is carried out for statistical or scientific purposes (except where processing is used also for advertising
purposes) provided that it is impersonalised;
the processing protects the data controller’s vital interests and it is impossible to have the data subject’s consent;
the processing is required for execution of statutory controller’s or third parties’ rights or for purposes important for the
community provided the data subject’s rights are not in breach;
personal data that is processed was publicly made accessible by the data subject or upon his or her request;
the processing is carried out by a journalist or mass media as a part of its professional activities or for the purposes of
scientific, literary or other creative activities, except if the processing would damage the data subject’s rights and
freedoms; or
personal data that is processed is subject to publication or mandatory disclosure under law.
As a general rule, consents by a data subject may be given in any form, but it is the data controller’s obligation to provide proof
that he has the data subject’s consent. Because of this burden of proof, it is important to keep careful records of consents.
In the following cases, the DPA requires that the data subject’s consent should be in writing (preferably in hard copy form):
where the personal data is collected to be included within publicly accessible sources;
where sensitive or biometrical data is processed;
in the case of the cross border transfer of personal data, where the recipient state does not provide adequate protection
of personal data; or
where a legally binding decision is made solely on the grounds of the automated processing of personal data.
Consent is deemed to have been given in writing where it is signed by hand or given in an electronic form and signed by an
electronic signature.
Consent may be revoked.
Consent in writing must contain the following information:
the identity of the data subject, his/her address and passport details and identity of the subject;
data representative (if any);
the identity and address of the data controller or the entity that processes personal data on behalf of the data controller
(if any);
the purpose of the processing;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Russia 888 | | | www.dlapiperdataprotection.com
the list of personal data that may be collected and processed;
the types of processing that are authorised;
the term for which the consent, remains valid and way of revocation; and
the data subject’s signature.
The data controller shall ensure the confidentiality of personal data. The data controller and other persons who have access to the
personal data, shall not disclose any information to a third party without the prior consent of the data subject.
TRANSFER
Prior to a transfer of personal data out of Russia, the data controller must ensure that the recipient state provides adequate
protection of personal data. The fact that the recipient state ratified the Convention is sufficient grounds to deem that the state
provides adequate protection of personal data for the purposes of the DPA.
Where there is no adequate protection of personal data, a cross border transfer is permitted if one of the following conditions is
met:
the data subject consents;
the transfer is provided for under an international treaty to which Russia is a signatory;
the transfer is necessary in accordance with federal laws for protection of the Constitution, state defence, security and
transport system;
for the purposes of performance of a contract to which the data subject is party; or
the transfer protects the data subject’s vital interests where it is not possible to get the written consent of the data
subject.
In addition to the above, the issued the Order No. 274 of 15 March 2013 ‘Roscomnadzor On endorsement of the List of the Foreign
.States Which are Not Parties to the EC Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data’
The Order contains the list of countries which are officially recognized by Russian authorities as ‘ensuring adequate protection’.
Apart from the Member States of the Convention, there are 23 so ‘white-listed’ states as of today.
SECURITY
Data controllers are required to take appropriate technical and organisational measures against unauthorised or unlawful
processing and accidental loss, changing, blocking or destruction of, or damage to, personal data.
A recent special regulation sets forth certain measures that the data controller should undertake to ensure security of personal
data, data systems, carriers of biometrical information and technologies.
BREACH NOTIFICATION
There is no mandatory requirement to report data security breaches or losses to the Agency or to data subjects.
ENFORCEMENT
In Russia, the Agency is responsible for the enforcement of the DPA. The Agency is entitled to:
carry out checks;
consider complaints from data subjects;
require the submission of necessary information about personal data processing by the data controller;
require the undertaking of certain actions according to the law by the data processor, including discontinuance of the
processing of personal data;
file court actions;
initiate criminal cases; and
impose administrative liability.
If the Agency becomes aware that a data controller is in violation of the law, he can serve an enforcement notice requiring the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Russia 889 | | | www.dlapiperdataprotection.com
data controller to rectify the position.
A data controller can face civil, administrative or criminal liability if there is a violation of personal data law. Officers of the data
controller responsible for the offence may also face disciplinary action.
Usually, in the case of violation of data protection law, the Agency will serve an enforcement notice requiring the position to be
rectified and may also impose an administrative penalty and/or recommend imposing disciplinary action on the officers of the data
controller who are responsible for the offence.
The maximum administrative penalty that can be imposed, as at the date of this review, is RUR (Russian Rubles) 75,000.
ELECTRONIC MARKETING
Electronic marketing activities are subject to limitations set by the Russian Law on Advertising No. 38-FZ dated 13 March 2006,
under which the distribution of advertising through telecommunications networks, in particular, through the use of telephone,
facsimile and mobile telephone communications, is allowed only subject to preliminary consent of a subscriber or addressee to
receive advertising.
Advertising is presumed to be distributed without preliminary consent of the subscriber or addressee unless the advertising
distributor can prove that such consent was obtained. The advertising distributor is obliged immediately to stop distribution of
advertising to the address of the person who made such a demand.
ONLINE PRIVACY
Russian law does not specifically regulate online privacy. The definition of personal data under the DPA is rather broad and there
are views that information on number, length of visits of particular web-sites and IP address (in combination with other data
allowing the user to be identified) could be considered personal data.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Michael Malloy
Counsel and Head of Intellectual Property and Technology Practice
T +7 495 221 4400
michael.malloy@dlapiper.com
Pavel Arievich
Legal Director
T +7 495 221 4472
pavel.arievich@dlapiper.com
Ekaterina Golodinkina
Associate
T +7 495 221 4546
ekaterina.golodinkina@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Rwanda 890 | | | www.dlapiperdataprotection.com
RWANDA
Last modified 14 December 2021
LAW
The law governing data protection in Rwanda is the Law n°058/2021 of 13/10/2021 relating to the protection of personal data and
privacy (the “ ”). Data Protection Law
Data Protection Law came into effect 15th October 2021. Data controllers and processors who are already in operation have a
period of two (2) years from the Data Protection Law commencement date to conform to its provisions.
The Law n° 24/2016 of 18/06/2016 governing Information and Communication Technologies in Rwanda (the “ ”). ICT Law
The Law nº 60/2018 of 22/8/2018 on prevention and punishment of cyber-crimes (the “ ”).Cyber Crime Law
DEFINITIONS
Definition of Personal Data
The Data Protection Law defines personal data as “any information relating to an identified or identifiable natural person who can be
identified, directly or indirectly, in particular by reference to an identifier such as:
name
identification number
location data
an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social
identity of that natural person” (article 3, 1°).
Definition of Sensitive Personal Data
The Data Protection Law defines sensitive personal data as “information revealing a person’s race, health status, criminal records,
medical records, social origin, religious or philosophical beliefs, political opinion, genetic or biometric information, sexual life or family details”
(article 3, 2°).
NATIONAL DATA PROTECTION AUTHORITY
The supervisory authority regarding Data protection is the National Cyber Security Authority (“ ”) (article 3, 23°).NCSA
REGISTRATION
A Data Controller is defined as a “natural person, public or private corporate body or legal entity which, alone or jointly with others,
(article 3, 19 °). processes personal data and determines their means of their processing”
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Rwanda 891 | | | www.dlapiperdataprotection.com
A Data Processor is defined as a “natural person, public or private corporate body or legal entity, which is authorised to process personal
(article 3, 24°). data on behalf of the data controller”
Data controllers (“ ”) and Data Processors (“ ”) are required to register with the NCSA. (article 29). DC DP
The registration application must indicate the following (article 30):
identity of the DC or DP and their designated single point of contact;
identity and address of their representative if they have nominated any;
description of personal data to be processed and the category of data subjects;
whether or not the applicant holds or is likely to hold the types of personal data based on the sectors in which it
operates;
purposes of the processing of personal data;
categories of recipients to whom the DC or DP intends to disclose the personal data;
country to which the applicant intends to directly or indirectly transfer the personal data; and
risks in the processing of personal data and measures to prevent such risks and protect personal data.
The NCSA issues a DC or DP registration certificate within 30 days of the application.
A regulation from the NCSA determining the validity period of the registration certificate is yet to be adopted (article 31).
DATA PROTECTION OFFICERS
The Data Protection Law requires that the DC and DP designate a data protection officer in the following cases (article 40):
the processing of personal data is carried out by public or private corporate body or a legal entity, except courts;
the core activities of the DC or the DP consist of personal data processing operations which, by virtue of their nature,
their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale;
the core activities of the DC or the DP consist of processing on a large scale of sensitive personal data and personal data
of convicts in accordance with the Data Protection Law’s requirements for the process of such data.
COLLECTION & PROCESSING
The DC is required to only collect personal data for a lawful purpose connected to its the activity and when the data is necessary
for that purpose (article 42).
When collecting personal data, the DC is required to inform the data subject of the following:
identity and contact details;
purposes for which personal data are collected;
recipients of such personal data;
whether the data subject had the right to provide personal data voluntarily or mandatorily;
the existence of the right to withdraw consent at any time and that such withdrawal does not affect the lawfulness of the
processing of personal data based on consent before its withdrawal;
the existence of the right to request from the DC access and ratification, restriction or erasure of personal data
concerning the data subject or to object to the processing of the data;
the existence of automated decision-making including profiling, and information about the logic involved, as well as the
significance and the envisaged consequences of such processing personal data for the data subject;
the period for which personal data will be stored;
the right to appeal to the supervisory authority;
where applicable, that the DC can transfer personal data outside of Rwanda and assures the data subject of the personal
data security;
any further information likely to guarantee fair processing of the personal data, having regard to the specific circumstances
in which the data are collected.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Rwanda 892 | | | www.dlapiperdataprotection.com
The DC is not subject to the above disclosure requirements if:
the data subject already has the information;
the provision of such information proves impossible or involves a disproportionate effort; or
the recording or disclosure of the personal data is required by the Data Protection Law.
The DC or DP must handle personal data for lawful purposes which include the following (article 46):
the data subject’s consent to process their personal data for purpose explained to them;
processing is necessary:
for the performance of a contract to which the data subject is party or in order to take steps at the request of
the data subject prior to entering into a contract;
for the execution a legal obligation to which the DC is subject;
for the protection of vital interests of the data subject or any other person;
for the performance of a duty carried out in the public interests or in the exercise of official authority vested in
the DC;
for the performance of duties of a public entity;
the processing is intended for legitimate interests pursued by the DC or by a third party to whom the personal data are
disclosed, unless the processing is unwarranted in any particular case having regard to the prejudice to the rights and
freedoms or legitimate interests pursued by the data subject;
the processing is carried out for research purposes upon authorization by relevant institution.
The Data Protection Law also provides for requirements relating to the processing of personal data of a child under the age of 16
years which include the following (article 9):
processing of the child’s personal data is subject to obtaining the consent of the holder of parental responsibility over the
child;
the consent obtained on behalf of the child must be given in the child’s interest to be acceptable;
the consent is not required if it is necessary for protecting the vital interest of the child.
The DC or DP must store personal data in Rwanda. Storage of personal data outside of Rwanda is only permitted if the DC or DP
holds a valid registration certificate authorising them to transfer or store personal data outside Rwanda (article 50).
TRANSFER
The transfer of personal data outside of Rwanda is only permitted for the following cases (article 48):
the DC or DP has obtained authorization from the NCSA after providing proof of appropriate safeguards with respect to
the protection of personal data;
the data subject has given his or her consent;
the transfer is necessary:
for the performance of a contract between the data subject and the DC or the implementation of a
pre-contractual measures taken in response to the data subject’s request;
for the performance of a contract concluded in the interest of the data subject between the DC and a third party;
for public interest grounds;
for the establishment, exercise, or defense of a legal claim;
to protect the vital interests of the data subject or another person where the data subject is physically or legally
incapable of giving his or her consent;
for the purpose of compelling legitimate interests pursued by the DC or by the DP, which are not overridden by
the interests, rights and freedoms of the data subject and when:
transfer is not repetitive and concerns only a limited number of data subjects;
the data controller or the data processor has assessed all the circumstances surrounding the data transfer
and has, on the basis of that assessment, provided suitable safeguards with regard to the protection of
personal data;
for the performance of international instruments ratified by Rwanda.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Rwanda 893 | | | www.dlapiperdataprotection.com
The DC or DP transferring personal data outside of Rwanda must enter into a written contract with the transferee setting out the
respective roles and responsibilities of each party to ensure compliance with the Data Protection Law (article 49).
A regulation from the NCSA determining the form of contract to be used for transfers of personal data outside Rwanda is yet to
be adopted (article 49).
SECURITY
The DC and DP are required to ensure security of the personal data in their possession by adopting appropriate, reasonable
technical measures to prevent loss, damage or destruction of personal data which include the following (article 47):
identify foreseeable risks to personal data under that person’s possession or control, establish and maintain appropriate
safeguards against those risks;
regularly verify whether the personal data safeguards are effectively implemented;
ensure that the personal data security safeguards are continually updated in response to new risks or any identified
deficiencies.
The NCSA is entitled by the Data Protection Law to conduct inspection and assessment of these security measures.
The Data Protection Law also provides for safeguards that DC or DP processing sensitive personal data must adopt including
storing sensitive personal data separately from other types of data or applying measures such as tokenisation, pseudonymisation or
encryption (article 11).
BREACH NOTIFICATION
In case of personal data breach, the DC is required to communicate the personal data breach to the NCSA within 48h after being
aware of the incident. The DP is required to notify the DC of any personal data breach within 48h after being aware of the
incident (article 43).
Where the personal data breach is likely to result in a high risk to the rights and freedoms of the data subject, the DC is also
required to communicates the personal data breach to the data subject in writing or electronically, after having become aware of
it (article 45). The Data Protection Law does not specify in which delay this communication must be done.
This communication of personal data breach to the data subject is not required in the following cases:
the DC has implemented appropriate technical and organisational protection measures in relation to personal data
breached such that the personal data breach is unlikely to result in a high risk to the rights and freedoms of the data
subject;
the DC has taken measures which ensure that the high risk to the rights and freedoms of the data subject is no longer
likely to materialize;
the DC communicated it to the public whereby the data subject is informed in an equally effective manner.
The NCSA can request the DC to make such communication if the DC has not done it yet in case the personal data breach is
likely to result in a high risk to the rights and freedoms of the data subject.
ENFORCEMENT
The Data Protection Law provides for administrative misconduct sanctioned by administrative fines (article 53) and offences
sanctioned by imprisonment and fines (article 56 to 63).
The administrative fines related to administrative misconduct imposed by the NCSA include operating without a registration
certificate, failure to designate a personal data officer, failure to respect obligations related to personal data breach (notification,
report, and communication) (article 53). The administrative fine is between RWF 2,000,000 to RWF 5,000,000 or 1% of the global
turnover of the preceding financial year for corporate body or legal entity.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Rwanda 894 | | | www.dlapiperdataprotection.com
Any person not satisfied with the administrative sanction taken against them has the right to file an application to the competent
court (article 54).
The NCSA is the initial organ in charge of settlement of conflicts arising in relation to the Data Protection Law.
The Data Protection Law provides that the following violations are considered criminal offences (article 56 to 61):
access, collection, use, offer, share, transfer or disclosure of personal data contrary to the Data Protection Law;
re-identification of de-identified personal data contrary to the Data Protection Law;
destruction, erasure, concealment or alteration of personal data contrary to the Data Law Protection Law;
sale of personal data contrary to the Data Protection Law;
collection or process of sensitive personal data contrary to the Data Protection Law;
provision of false information.
Corporate body or legal entity convicted of committing offence(s) is liable to a fine amounting to 5% of the annual turnover of the
previous financial year (article 62).
Additional penalties for the offences that the court can order include (article 63):
seizure or confiscation of items used in the commission of any of the offences;
permanent or temporary closure of the legal entity or body or the premises in which any of the offences were committed.
ELECTRONIC MARKETING
The Data Protection Law provides for the data subject right to object to the processing of his/her personal data for direct
marketing purposes including profiling to the extent that it is related to such direct marketing (article 19).
The ICT Law provides that a person who sends unsolicited commercial communications to a consumer, provides the consumer
with the option to cancel the subscription to the mailing list of that person and identify particulars of the source from which that
person obtained the consumer’s personal information, upon the request of the consumer (article 168).
The ICT Law also provides that a person is not allowed to transmit, nor instigate the transmission of, a communication for the
purposes of direct marketing by means of electronic mail where (article 223):
the identity of the person who has sent the communication has been disguised or concealed;
an address to which the recipient of the communication may send a request that such communication ceases has not been
provided.
Sending unsolicited commercial communication to consumer is sanctioned by an administrative fine of between RWF 50,000 and
RWF 500,000.
The Cyber Crime Law establishes spamming as a criminal offence (article 37). The Cyber Crime Law defines spamming as any
intentional and without authorisation from a competent organ sending of unsolicited messages repeatedly or to a large number of
persons by use of a computer or a computer system. Spamming also include the use of a computer or a computer system, after
receiving a message, to retransmit such a message to many persons or retransmit it several times to a person who doesn’t need
it.
The penalties for this offence are an imprisonment term of 3 months to 6 months and a fine of RWF 300,000 to RWF 500,000
(article 37).
The prosecution of spamming offence is however instituted only upon complaint of the offended person (article 37).
ONLINE PRIVACY
The Data Protection Law provides that the DC, DP or third-party processing personal data must respect the privacy of the data
subject (article 5). It does not provide any other specific requirement regarding cookies and location data.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Rwanda 895 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Moses Kiiza Gatama
Senior Partner
T +250 788 303 877
moses.kiiza@equityjuris.com
Ian Mulisa
Partner
T +250 788 678 515
ian.mulisa@equityjuris.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Saudi Arabia 896 | | | www.dlapiperdataprotection.com
SAUDI ARABIA
Last modified 17 January 2022
LAW
The data protection landscape in the Kingdom of Saudi Arabia (” “) is primarily (but not exclusively) regulated by theKSA
following:
Personal Data Protection Law (” “) when it comes into effect in March 2022; andPDPL
Personal Data Protection Interim Regulations (” “) issued by the National Data Management Office (” “).PDPIR NDMO
The PDPL was published in the KSA Official Gazette on 24 September 2021. It becomes fully effective on 23 March 2022. Data
Controllers (as defined in the PDPL) then have another year in which to comply with the PDPL, although this period might be
extended. The PDPL will be supplemented by Executive Regulations, which should be published by 23 March 2022, and which will
provide further guidance on the application of the PDPL.
While the PDPL is not effective as law until 23 March 2022, the PDPIR is, as we understand it, in effect now.
Both the PDPIR and the PDPL have extra-territorial effect. In particular (subject to limited exceptions):
The PDPIR applies to all entities in KSA that process Personal Data in whole or in part, as well as entities outside of KSA
that process Personal Data related to individuals residing in KSA using any means, including online Personal Data
processing;
The PDPL applies to any processing of Personal Data related to individuals that takes place in KSA by any means, including
the processing of Personal Data related to individuals residing in KSA by any means by any entity outside of KSA.
There may also be specific regulations applicable to certain industries / sectors, for example, in banking, which is regulated by the
Saudi Central Bank (previously known as the Saudi Arabian Monetary Authority).
DEFINITIONS
Definition of personal data
Under the PDPIR, Personal Data is defined as “Any element of data, regardless of source or form whatsoever, which independently or
when combined with other available information could lead to the identification of a person including but not limited to: first name and last
name, Saudi national ID number, addresses, phone, number, bank account number, credit card number, health data, images or videos of that
person.”
Under the PDPL, Personal Data is defined as “Every data – of whatever source or form – that would lead to the identification of the
individual specifically, or make it possible to identify him directly or indirectly, including: name, personal identification number, addresses,
contact numbers, license numbers, records, personal property, bank account and credit card numbers, fixed or moving pictures of the
individual, and other data of personal nature.”
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Saudi Arabia 897 | | | www.dlapiperdataprotection.com
Definition of sensitive personal data
Under the PDPIR, Sensitive Data is defined as “Data, the loss, misuse, or unauthorized access to or modification of, that could adversely
affect the national interest or the conduct of government programs, or the privacy to which individuals are entitled.”
Under the PDPL, Sensitive Data is defined as “Every Personal Data that includes a reference to an individual’s ethnic or tribal origin, or
religious, intellectual or political belief, or indicates his membership in nongovernmental associations or institutions, as well as criminal and
security data, biometric data, genetic data, credit data, health data, location data, and data that indicates that both parents of an individual
or one of them is unknown.”
NATIONAL DATA PROTECTION AUTHORITY
As per the PDPL, the Saudi Data and Artificial Intelligence Authority (” “) will be the data regulator for at least two years.SDAIA
During this time, consideration will be given to transferring the competence to supervise the application of the PDPL (and its
Executive Regulations) to the NDMO.
The Saudi Central Bank and the Communications and Information Technology Commission (” “) both appear to maintainCITC
their jurisdiction to regulate data protection within their remit.
REGISTRATION
The PDPIR does not impose registration requirements.
As per the PDPL, Data Controllers must register with SDAIA. There will be a fixed fee for private entities that are Data
Controllers, which is yet to be published in the Executive Regulations of the PDPL.
In addition, under the PDPL, records of processing activities (” “) need to be registered with SDAIA. Like other dataROPA
protection laws, the PDPL appears to require that the Data Controller prepares a ROPA. However, unlike other data protection
laws, the PDPL indicates that the ROPA must also recorded with SDAIA.
DATA PROTECTION OFFICERS
There is no specific requirement under the PDPIR for organisations to appoint a data protection officer.
As per the PDPL, foreign Data Controllers must appoint a representative in KSA to be licensed by the “competent authority” (as
per the PDPL, this is to be determined by a decision of the Cabinet) to perform the Data Controller’s obligations stipulated
under the provisions of the PDPL and the Executive Regulations (once issued).
This appointment does not prejudice the responsibilities of this foreign Data Controller towards the Data Subject or SDAIA. The
Executive Regulations are to set out the provisions related to licensing and the limits of the representative’s relationship with the
Data Controller outside KSA, which he represents.
COLLECTION & PROCESSING
As per the PDPIR, Personal Data may not be collected or processed without the Data Subject’s express consent. “Consent” is
defined as “a knowing, voluntary, clear, and specific, expression of consent, whether oral or written, from the Data Subject signifying
agreement to the processing of personal data.”
As per the PDPL, the primary basis for processing is consent of the Data Subject. The Executive Regulations will outline the “cases
his indicates that there may be cases in which consent can be collected by means otherin which the consent must be in writing”. T
than in writing. However the PDPL itself does not refer to a concept of processing for “legitimate interests” in the same manner as
the GDPR, and indeed as other data protection frameworks in the region allow for.
Rather, the PDPL allows for processing other than on the basis of consent if:
the processing achieves a “definite interest” (not defined) of the Data Subject and it is impossible or difficult to contact the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Saudi Arabia 898 | | | www.dlapiperdataprotection.com
Data Subject;
if the processing is in accordance with another law, or in the implementation of an earlier agreement to which the Data
Subject is a party; and
if the Data Controller is a public entity and such processing is required for security purposes or to meet judicial
requirements.
TRANSFER
Under the PDPIR, Data Controllers may only store and process Personal Data outside KSA after obtaining written approval from
the relevant “Regulatory Authority” and the Regulatory Authority must coordinate with the NDMO.
“Regulatory Authority” is defined as “Any independent governmental or public entity assuming regulatory duties and responsibilities for a
specific sector in KSA under a legal instrument.“
In the event Data Controllers are not subject to specific Regulatory Authorities, then the NDMO will exercise the roles and
functions of such authorities.
Data Controllers must also obtain NDMO’s approval, having coordinated with the Regulatory Authority, prior to sharing Personal
Data with other entities outside of KSA.
Under the PDPL, data transfers out of KSA are even more tightly controlled than under the PDPIR. Personal Data transfers
outside of KSA are prohibited except in the following circumstances:
extreme necessity to preserve the life of a Data Subject outside of KSA or the Data Subject’s “vital interests”;
to prevent, examine or treat a disease;
if the transfer is in implementation of an obligation under which the KSA is a party;
to serve the interests of KSA; or
other purposes as determined by the Executive Regulations (yet to be issued).
However, the above is still predicated upon complying with the following conditions:
the transfer or disclosure does not prejudice national security or the vital interests of KSA;
there are sufficient guarantees for preserving the confidentiality of the Personal Data to be transferred or disclosed, so
that the standards are not less than the standards in the PDPL and the Executive Regulations;
the transfer or disclosure must be limited to the minimum Personal Data needed; and
the competent authority approves the transfer or disclosure, as determined by the Executive Regulations.
However, the competent authority may exempt the Data Controller, on a case-by-case basis, from being bound by these
conditions if:
the transfer does not prejudice national security or the vital interests of KSA;
if the competent authority, jointly or severally with other parties, sees that the Personal Data will have an acceptable level
of protection outside of KSA; and
the Personal Data is not Sensitive Data.
Note also that the relevant definitions for “processing” under both the PDPIR and PDPL include, amongst other things, transfer of
Personal Data, and so the consent requirements relating to processing are also relevant / applicable.
In addition, in certain contexts or sectors, specific approvals may be required – for example, in a banking context, approval from
the Saudi Central Bank.
SECURITY
The PDPIR and PDPL are not prescriptive about specific technical standards or measures with regards to specific security
requirements.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Saudi Arabia 899 | | | www.dlapiperdataprotection.com
However, the PDPIR does provide that Personal Data should be protected from leakage, damage, loss, theft, misuse, modification,
or unauthorised access according to the controls issued by the National Cybersecurity Authority and other relevant authorities.
Similarly, the PDPL provides that the Data Controller must take the necessary organisational, administrative and technical
measures and means to ensure Personal Data is preserved, including when it is transferred, in accordance with the provisions and
controls specified in the Executive Regulations.
BREACH NOTIFICATION
Under the PDPIR, Data Controllers must notify the Regulatory Authorities immediately, and no later than 72 hours, in the event
of any data breach or leakage impacting Personal Data in accordance with the mechanisms and procedures determined by the
Regulatory Authorities. In the event Data Controllers are not subject to specific Regulatory Authorities, then the NDMO will
exercise the roles and functions of such authorities.
Under the PDPL, Data Controllers must notify the competent authority (as per the PDPL, this is to be determined by a decision
of the Cabinet) as soon as it becomes aware of the occurrence of a leakage or damage of Personal Data, including if Personal Data
was illegally accessed. In addition, the Executive Regulations will specify circumstances in which the Data Controller must notify
the Data Subject in the event of a leakage or damage of the Data Subject’s Personal Data or illegal access thereto. However, if the
occurrence of any of the above would cause serious harm to the Data Subject’s data or the Data Subject, the Data Controller
must notify the Data Subject immediately.
In addition, notification obligations may be triggered in specific contexts / sectors – for example, cloud service providers may be
required to report security breaches to the CITC depending upon the circumstances.
ENFORCEMENT
The PDPIR does not contain any express enforcement mechanism or penalties for non-compliance.
As per the PDPL, there are criminal penalties and fines for the following offences:
unlawfully transferring data out of KSA (imprisonment of up to 1 year and/or a fine of up to SAR 1 million); and
disclosing or publishing Sensitive Data unlawfully with intent of harming the Data Subject or with the intention of achieving
some personal benefit (imprisonment up to 2 years and/or a fine of up to SAR 3 million).
Separately, SDAIA has the power to issue warnings / administrative fines of up to SAR 5 million for any other violation, which is
appealable. This is without prejudice to any more severe penalty stipulated in another law.
Note, the competent court may double the penalty of a fine for repeat offenders.
ELECTRONIC MARKETING
There are specific rules around the use of Personal Data for marketing purposes in the PDPL. This includes that Data Controllers
must not use personal means of communications, including postal and electronic addresses, of the Data Subject in order to send
promotional or awareness materials without first obtaining the consent of the Data Subject, and providing the Data Subject with a
mechanism to opt-out.
Additional requirements may also apply in specific contexts – for example, in the context of e-commerce activity.
ONLINE PRIVACY
There is no specific legislation in the KSA that specifically regulates the use of cookies.
Assuming the relevant cookies will collect, process or transfer Personal Data, then, under the PDPIR and, once in effect, the
PDPL, it is generally recommended that opt-in consent is secured in relation to the use of cookies.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Saudi Arabia 900 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Mohamed Moussallati
Legal Director
T +966 11 288 5449
mohamed.moussallati@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Senegal 901 | | | www.dlapiperdataprotection.com
SENEGAL
Last modified 15 January 2022
LAW
The data protection regime in Senegal is mainly governed by the following laws and regulations:
Act No 2008-12 of 25 January 2008 Concerning Personal Data Protection (” )the Act”
Decree No 2008-721 of 30 June 2008 relating to the the implementation of Act No 2008-12 of 25 January 2008
Concerning Personal Data Protection (” “)the implementing Decree
Directive (” “) No. 2757 of June 24, 2014, designating focal points of the CDP within the ministries taken by theCirculaire
Prime Minister’s Office regarding the census of files relating to personal data
Act No. 2008-08 of January 25, 2008, on electronic transactions
Act no. 2016-29 dated 8 November 2016 amending the criminal code
Act. No. 10-2021 of 25th June 2021 amending the criminal code.
DEFINITIONS
Definition of Personal Data
“ ” means all data relating to an identified or identifiable individual with reference to an identification number orPersonal Data
one, or many, characteristics of his physical, physiological, genetic, psychical, cultural, social or economic identity (Article 4 of the
Act).
Definition of Sensitive Personal Data
“ ” means data relating to: religious, philosophical or political opinions or union activities; sex life; race;Sensitive Personal Data
health; social measures and prosecutions; and criminal and administrative sanctions. (Article 4 of the Act).
NATIONAL DATA PROTECTION AUTHORITY
The National Data Protection Authority is the (” “).”Commission de Données Personnelles” CDP
The CDP is an independent administrative authority responsible for ensuring that the processing of personal data is carried out in
accordance with the provisions of this law.
CDP main duties include:
informing the data holders and the data controllers of their rights and obligations. To this end:
it receives the formalities prior to the creation of processing of personal data;
it receives complaints, petitions and claims relating to the implementation of the processing of personal data and
informs their authors of the follow-up given to them;
it informs the public prosecutor without delay of the offences of which it has knowledge;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Senegal 902 | | | www.dlapiperdataprotection.com
it may, by special decision, entrust one or more of its members or agents of its services with the task of carrying
out verifications relating to any processing and, where appropriate, obtaining copies of any document or
information medium useful for its mission;
it may, under the conditions defined in articles 29 to 32 of this law, impose a sanction on a data controller;
it responds to any request for an opinion.
approving the charters of use that are presented to it;
keeping a directory of personal data processing at the disposal of the public;
advising the persons and organizations that have recourse to the processing of personal data or that carry out tests or
experiments that may lead to such processing;
authorizing, under the conditions provided for in the Act, the transborder transfer of personal data;
presenting to the Government any suggestion that may simplify and improve the legislative and regulatory framework for
data processing;
cooperating with the personal data protection authorities of third countries and to participate in international negotiations
on personal data protection;
publishing the authorizations granted and the opinions issued in the directory of personal data processing;
drawing up an annual activity report submitted to the President of the Republic and the President of the National
Assembly.
REGISTRATION
The is no country-wide system of registration in Senegal. However, the processing of personal data may be subject to prior
notification to, or authorization/Prior approval from the CDP.
Notification regime
Businesses must notify the CDP in respect of their processing activities, except in the following cases:
Non-profit processing for religious, philosophical or political associations, or trade unions (when the data correspond to
the purpose of the association or trade union, concern only their members and are not disclosed to third parties).
Processing for the sole purpose of keeping a register; by law, this is intended exclusively to provide public information and
is open to consultation for any person with a legitimate interest.
(Article 18 of the Act)
Authorization/Prior approval regime
Prior approval from the CDP is required for processing of:
Genetic data;
Data relating to offences, convictions or security measures;
Data that involve an interconnection of files;
Data that include a national identification number;
Biometric data;
Data that are of public interest, particularly for historical, statistical or scientific purposes.
Authorisation is however not required in the following cases:
Data processing for private purposes only;
Temporary data copies for transmission, network access and automatic storage purposes, provided they are made to
improve network user access;
Data processing by non-profit organisations for religious, philosophic, political or union purposes only;
Data processing for public register purposes.
Notice/Opinion regime (“Avis”)
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Senegal 903 | | | www.dlapiperdataprotection.com
The automated processing of personal information carried out on behalf of the State, a public institution or a local authority or a
legal person under private law managing a public service are decided by regulatory act taken after a reasoned opinion from the
CDP. Such processing relates to:
State security, defense or public safety;
the prevention, investigation, recording or prosecution of criminal offences or the execution of criminal sentences or
security measures;
the population census;
personal data that reveal, directly or indirectly, the racial, ethnic or regional origins, parentage, political, philosophical or
religious opinions or trade union membership of persons, or that relate to the health or sexual life of persons when they
are not covered by provisions related to interconnexion of data;
the processing of salaries, pensions, taxes, and other settlements.
(Articles 20 and 21 of the Act)
DATA PROTECTION OFFICERS
The appointment of a Data Protection Officers (” “) is left at the exclusive discretion of the data controllers regardingDPO
businesses.
However, the Act provides that department responsible for carrying out the processing and the categories of persons who, by
reason of their duties or for the needs of the department, have direct access to the recorded data as well as the function of the
person or department with whom the right of access to its processed data is exercised shall be communicated to the CPD.
(Article 22 of the Act)
Additionally, the CDP is however available to assist businesses regarding the training of their DPO on Data protection law and
regulations.
Regarding ministries, the appointment of data focal points of the CDP (” “) is required in each ministry for thePoints focaux
purposes of the census and declaration of files and databases according to Directive No. 2757 of June 24, 2014, designating focal
points of the CDP within the ministries regarding the census of files relating to personal data.
COLLECTION & PROCESSING
Data controllers are subject to the following principles and requirements.
The obligations of data controllers include:
Transparency: Data Controllers must inform the Data Subjects about the processing and personal data processed.
Security: Data Controllers are required to ensure the security of personal data. They must prevent the data’s alteration
and damage, or access by non-authorised third parties.
Confidentiality: The Data Controller must ensure confidentiality and security of the processing.
(Articles 34 and 35 of the Act)
The Data holders/subjects have rights to:
Access and obtain the following from the Data Controller: Information which they are entitled to know, and which will
allow them to contest the processing, confirmation of whether their personal data forms part of the processing, a copy of
their personal data (in an accessible form), as well as any available information on the data’s origin and information relating
to the purposes of the processing and categories of processed data; recipients or categories of recipients to whom the
data are disclosed; and transfer of personal data outside the country.
Request that the Data Controller rectify or delete their personal data if they are inaccurate, incomplete, unclear, or
expired, or if the collection, usage, disclosure, or retention of the data is prohibited.
Object to the processing on legitimate grounds including for marketing purpose unless the processing satisfies a legal
obligation.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Senegal 904 | | | www.dlapiperdataprotection.com
Complain to the CDP at any time the processing of their Personal Data does not comply with Data Protection Act.
(Articles 33, 62, 63 and 69 of the Act)
TRANSFER
Transfer of personal data to another country is prohibited unless the receiving country provides sufficient protection for the Data
Subject’s private life, liberties and fundamental rights.
Countries members of the African Associations of data protection (‘Association Francophone des Autorités de Protection des Données
) are considered to have sufficient protection for the Data Subject’s private life, liberties and fundamental rights. OtherPersonnelles’
countries are assessed on case-by-case basis and on criteria including the existence of data protection law and authority
responsible of data protection.
A transfer to a country not offering a sufficient level of protection is possible if the transfer is timely and non-massive, if the Data
Subject agrees to it or if the transfer is necessary to:
Protect the life of the Data Subjects/Holders;
Protect the public interest;
Comply with obligations allowing the acknowledgment, exercise, or defence of a legal right in court; and
Perform an agreement between the Data Subject and the Data Processor or take precontractual measures upon the
request of the Data Subject.
In any case, prior transferring personal data, the Data controller must inform the CDP. The information must include:
The name and address of the data sender;
The name and address of the data recipient;
The full data file and description;
The type of personal data transferred;
The number of persons concerned;
The data processing purpose;
The transfer method and frequency;
The first transfer date.
(Articles 49-51 of the Act)
SECURITY
Data Controllers are required to ensure the security of personal data. They must prevent the data’s alteration and damage, or
access by non-authorised third parties. In this regard, Data Controllers should make sure that:
Persons with access to the system can only access the data that they are allowed to access;
The identity and interest of any third-party recipients of the data can be verified;
The identity of persons who have access to the system (to view or add data) can be verified;
Unauthorised persons cannot access the place and equipment used for the data processing;
Unauthorised persons cannot read, copy, modify, destroy, or move data;
All data entered onto the system are authorised;
The data will not be read, copied, amended, or deleted without authorisation during the transport or communication of
the data;
The data are backed up with security copies;
The data are renewed and converted to preserve them.
(Article 71 of the Act)
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Senegal 905 | | | www.dlapiperdataprotection.com
Breach notification is subject to following sanctions:
Imprisonment for a period of between one and seven years;
Fines of between XOF 500,000 and 10 million. The judge can choose one of the sanctions listed above or a combination
of them.
(Article 431-14 of the Criminal Code).
Where the breach is imputable to a legal person, its criminal liability will be held according to the provisions of the article 25 of
Act. No. 10-2021 of 25th June 2021 amending the criminal code.
Mandatory breach notification
No mandatory breach notification protocol is provided under Senegal law.
ENFORCEMENT
The CDP have enforcement powers including:
Investigative powers: The CDP can conduct three types of investigation:
On-site inspections: In this case, the CDP may have access to any materials (servers, computers, applications,
etc.) and any place (offices, buildings) in which personal data are processed;
Documentary inspections: These inspections allow the CDP to obtain disclosure of documents or files upon
written request;
Hearing inspections: These inspections consist of interrogation in their offices or summoning representatives
of Data Controllers to obtain any necessary information.
Administrative fines for infringements of the Data Protection Act: The CDP has power to impose administrative fines for
infringement of the Data Protection Act provisions. The fines should be fine between XOF 1 million and XOF 100 million.
Non-compliance with a data protection authority: Non-compliance with the CDP can lead to the following sanctions:
a warning;
an injunction to put an end to defaults within the time limit set by the Commission; or
a provisional withdrawal of the authorisation granted for a period of three months at the expiry of which the
withdrawal becomes final.
In case of urgency, the CDP can:
interrupt a processing for a duration that cannot exceed three months;
lock certain kinds of data for a duration that cannot exceed three months; or
prohibit, provisionally or definitively, data processing that does not comply with the Act.
(Article 29-31 of the Act)
ELECTRONIC MARKETING
Data Subjects have the right to object, free of charge, to the processing of their Personal Data for direct marketing.
The sending of marketing communications is forbidden on principle unless the recipient agrees to it.
Also, there are two exceptions where prior approval is not required:
The recipient’s information was collected directly from him, in accordance with the provisions of the Act.
The recipient is already a customer of the company, the marketing messages relate to products or services that are similar
to those previously provided, and the recipient is given the possibility of objecting to all messages sent to him.
(Article 16 of the Act No. 2008-08 of January 25, 2008, on electronic transaction and article 47 of the Act)
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Senegal 906 | | | www.dlapiperdataprotection.com
Sending marketing communications in breach of applicable restrictions are subject to following sanctions:
seven years’ imprisonment;
or an XOF 1 million fine;
or both above sanctions.
(Article 431-20 of the Senegalese Criminal Code)
ONLINE PRIVACY
There is no specific restriction on the use of cookies under the Act. However, the CDP requires that the Data Subject is informed
of the use of cookies and to collect his consent.
KEY CONTACTS
Geni & Kebe
www.dlapiperafrica.com/senegal
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Mouhamed Kebe
Partner
Geni & Kebe
T +221 76 223 63 30
mhkebe@gsklaw.sn
Mahamat Atteib
Associate
Geni & Kebe
T +221 77 737 41 74
m.atteib@gsklaw.sn
https://www.dlapiperdataprotection.com
https://www.dlapiperafrica.com/senegal
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Serbia 907 | | | www.dlapiperdataprotection.com
SERBIA
Last modified 17 January 2022
LAW
In late 2018, Serbia updated its data protection law to better align with the EU General Data Protection Regulation. Serbia enacted
a new Data Protection Law on 9 November 2018 (published in the Official Gazette of the Republic of Serbia, no. 87/2018) (“DP
”). Although the DP Law entered into force 21 November 2018, its effective date was postponed until 21 August 2019Law
(except for the maintenance of the Central Register of Personal Databases which has already been terminated).
The DP Law was long awaited, as it has been 10 years since the previous data protection law was passed. Its content is largely
harmonized with the GDPR. It is now fully effective as of 21 August 2019.
DEFINITIONS
Definition of personal data
Under the DP Law, personal data is any information about a natural person through which the respective person is identified or
identifiable (for example, name, address, email address, photo, etc.).
NATIONAL DATA PROTECTION AUTHORITY
The Serbian data protection authority is the Commissioner for Information of Public Importance and Protection of Personal Data (
) (“ ”).Poverenik za informacije od javnog znaaja i zaštitu podataka o linosti DPA
It is seated at Bulevar kralja Aleksandra 15 Belgrade and its website is .www.poverenik.rs
REGISTRATION
The obligation for the maintenance of the Central Register of Personal Databases by the DPA, which existed under the previous
data protection law, was terminated immediately upon the entering into force of the DP Law. Under the DP Law, controllers and
processors are only required to internally maintain the database records and only if they have more than 250 employees or if they
are involved in certain types of processing or process certain types of personal data (such as, for example, special categories of
data or personal data relating to criminal convictions and offences). The latter two conditions are applicable regardless of the
number of employees a processer or controller has.
DATA PROTECTION OFFICERS
According to the DP Law, controllers and processors are required to designate a data protection officer (“ ”), whose primaryDPO
task is to ensure compliance with the data processing law and regulations and to communicate with the DPA and the data subjects
on all data protection matters. Similar to the GDPR, this obligation applies if the following criteria are met:
The processing is carried out by a public authority (with the exception of a court performing its judiciary authorizations).
https://www.dlapiperdataprotection.com
http://www.poverenik.rs
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Serbia 908 | | | www.dlapiperdataprotection.com
The core activities of the controller / processor require the regular and systematic monitoring of data subjects on a large
scale, or the large-scale processing of special categories of personal data — , health data or trade union memberships,eg
or criminal convictions / offences data.
The DPO may be employed or engaged under a service contract, and in any case must have sufficient expert knowledge. A group
of companies may appoint a single DPO, provided that he is equally accessible to each company.
Controllers and processors are required to ensure the DPO’s independence in the performance of his tasks. This means the
following:
No instructions may be given to the DPO.
The DPO must report directly to the manager of the controller / processor.
The DPO may not be dismissed or penalized for performing his or her tasks.
COLLECTION & PROCESSING
The collection and further processing of personal data has to be legitimate and legally grounded, meaning pursuant to the data
subject’s consent or as specifically provided by law.
Under the DP Law, there are a few instances where a data subject’s personal data may be processed without the data subject’s
consent (for example, when the processing is necessary for fulfilment of the data controller’s legal obligations or for the
performance of an agreement concluded between a data controller and data subject) (“ ”).Exceptional Cases
Apart from the Exceptional Cases, prior informed consent from data subjects is generally required to collect and process personal
data, meaning that any request for consent has to contain all the information on the particular processing which is explicitly
prescribed by the DP Law (for example, the data subject must be notified of the purpose and legal grounds for the processing,
information on other recipients of the data in cases when the data is disclosed to entities other than the data controller and
information on the statutory rights of the data subjects in relation to the respective processing, etc.).
Although consent is necessary, it does not automatically mean that any processing, to which a data subject has consented will be
regarded by the DPA as compliant with the DP Law. There are also other conditions which must be met under the DP Law (eg,
the purpose must be legitimate and clearly determined and the type and scope of processed data must be proportionate to the
respective purpose).
In addition to written consent, the DP Law explicitly introduces other forms of consent, such as online consent, oral consent or
consent by other clear affirmative action provided that the controller is able to demonstrate that the data subject has indeed
consented.
The conditions for obtaining consent have become much stricter under the DP Law than compared to the previous legislation.
Similar to the GDPR, consent must be freely given, specific, informed and unambiguous. For example, there is a presumption that
consent will not be valid unless separate consents are obtained for different processing operations, where appropriate; and the
request for consent—when presented in a written document—must be clearly distinguishable from all other matters, using clear
and plain language (meaning catch-all clauses will not be valid). Further, consent will not be considered freely given if the
performance of a contract is conditional on the consent to the processing of personal data that is not necessary for its
performance.
In addition, one important novelty introduced by the DP Law (and similar to the GDPR), is that it does not apply only to the
processing of data carried out by Serbian controllers and processors, but also to the processing of data by controllers and
processors based outside of Serbia whose processing activities relate to the offering of goods or services (even if offered for free)
or monitoring the behavior of Serbian data subjects within Serbia. As a result, a number of these controllers and processors will
need to appoint representatives in Serbia for correspondence with the DPA and the data subjects on all issues related to
processing.
TRANSFER
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Serbia 909 | | | www.dlapiperdataprotection.com
Under the previous data protection law, the DPA’s prior approval was a precondition for a legitimate data transfer whenever a
transfer was to be made to any country which had not signed and ratified the Council of Europe Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data (” ). The data transfer regime has nowRelevant Convention”
been completely revamped and liberalized under the DP Law, which is a much-welcomed change from the previous overly
restrictive concept. The DP Law explicitly applies to both direct and indirect data transfers, unlike the previous law for which it
was not fully clear whether it covers indirect transfers at all.
Under the DP Law, controllers will be entitled to transfer personal data abroad if one of the following conditions (among others)
is met:
Personal data is to be transferred to a country that ratified the Relevant Convention.
Data transfers are to a country included on the Serbian government’s list of countries providing an adequate level of data
protection (EU Countries, other countries which are member states of the Relevant Convention and some other
countries such as, for example, Canada (for business subjects only) and Japan).
Data transfers are performed to a country which has a bilateral agreement with Serbia regulating data transfers.
The transfer is based on the standard contractual clauses prepared by the Serbian DPA.
The transfer is based on binding corporate rules or a code of conduct approved by the Serbian DPA, or on certificates
issued in accordance with the law.
The Serbian DPA has issued a specific approval for the transfer to be performed on the basis of an agreement between
the data exporter and the data importer.
The data subject has explicitly consented to the proposed transfer, after having been informed on the possible risks.
This should create more options for the transfer of data to non-European countries, especially since the DPA has prepared the
aforementioned standard contractual clauses, which are adopted and applicable as of 30 January 2020 (keeping however in mind
that, under the DP Law, the respective SCC mechanism will be available only when a data importer is a data processor). In
addition, it is expected that the process of obtaining the DPA’s approval for data transfers will be more efficient, and should be
completed within 60 days.
SECURITY
Similar to the GDPR, the DP Law introduces burdensome accountability obligations on data controllers, which are required to
“demonstrate compliance”. This includes an obligation to all of the following:
Implement, maintain and update appropriate technical, organizational and human resources measures to ensure a level of
security appropriate to the risk involved by taking into account state of the art and associated implementation costs etc.
Have in place certain documentation, such as data protection policies and records of processing activities.
Implement data protection by design and by default.
Conduct a data protection impact assessments for those processing operations that are considered higher risk to the
rights and freedoms of individuals.
Data protection by design requires the controllers to adopt, as well as maintain and update when needed, appropriate measures
(such as pseudonymization, data minimization) which will implement the safeguards necessary for processing. Data protection by
default, on the other hand, requires the controllers to adopt measures so that, by default, only the processing which is necessary
for the specific purpose will be possible ( , that, by default, privacy settings on one’s social network profile do not make the dataeg
public).
BREACH NOTIFICATION
The DP Law imposes data breach notification obligations that largely track the GDPR. Furthermore, the Law on Electronic
Communications (‘Official Gazette of the Republic of Serbia’, nos. 44/2010, 60/2013, 62/2014 and 95/2018) (“ ”) imposes aEC Law
duty on entities which perform or are authorized to perform electronic communications’ activities (Operators) to notify the
Regulatory Agency for Electronic Communications and Postal Services (“ ”) as the competent state authority, of anyRATEL
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Serbia 910 | | | www.dlapiperdataprotection.com
breach of security and integrity of public communication networks and services, which have influenced their work significantly and
particularly for breaches which resulted in the violation of protection of personal data or privacy of the respective networks /
services’ users / subscribers.
Nonperformance of this statutory obligation can lead to liability and fines of up to EUR 17,000 for a legal entity, and up to EUR
1,275 for a responsible person in a legal entity. Protective measures may also be implemented. For a legal entity, a prohibition
against performing business activities for a duration of up to three years and for a responsible person in a legal entity, a prohibition
against performing certain duties for a duration of up to one year.
According to the DP Law, the data breach obligations present a significant responsibility, as data controllers will generally be
required to document each data breach as well as to notify the DPA of such breach (if it is likely to result in a risk to the rights
and freedoms of individuals) without undue delay and, when feasible, within 72 hours after becoming aware of the breach. In
addition, data processors will have to notify the controllers of the breach without undue delay.
If the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller is also required
to communicate the personal data breach to the individual concerned without undue delay. However, this does not apply if the
controller has implemented appropriate technical and organizational measures, such as encryption that has rendered the relevant
data unintelligible to any unauthorized person or, if the notification would involve disproportionate efforts, a public communication
or a similar measure must be made in order to properly inform the individuals.
ENFORCEMENT
The DPA is responsible for the enforcement of the DP Law. Namely, the DPA is authorized and obliged to monitor whether the
law is implemented and it conducts such monitoring both on its own accord and based on any complaints it receives. If it
establishes, when performing the respective monitoring, that a particular person / entity which processes personal data has acted
in contravention to the statutory rules on processing, the DPA shall issue a warning to the particular data controller. It may also
issue a decision by which it can, among other things:
Order the data controller to eliminate the existing irregularities within a certain period of time.
Temporarily forbid particular processing.
Order deletion of the data collected without a legal ground.
The DPA’s decision cannot be appealed, but an administrative dispute can be initiated against the respective decision before a
competent Serbian court.
Depending on the gravity of the particular misconduct and the data controller’s behavior with respect to the same, the DPA can
initiate an offence proceeding against the respective data controller before the competent court. The offences and sanctions for
such are explicitly prescribed by the DP Law. The respective sanctions are fines up to EUR 17,000 for a legal entity and up to EUR
1,275 for a responsible person in a legal entity. Additionally, the DPA is now also able to directly fine controllers and processors in
certain situations, with fines in the amount of EUR 850. Prior to the adoption of the DP Law, only the Court of Offences was
entitled to impose fines.
Criminal liability is also a possibility since the Serbian Criminal Code prescribes a criminal offence of unauthorized collection of
personal data. The prescribed sanctions are a fine (of an amount to be determined by the court) or imprisonment of up to one
year. Both natural persons and legal entities can be subject to the respective liability.
Formally speaking, under the Law on Administrative Procedure (‘Official Gazette of the Republic of Serbia’, nos. 18/2016 and
95/2018), the DPA is also authorized to enforce its orders by threatening a company with a fine of up to 10% of its annual income
in Serbia in case it fails to comply with the order. This is a relatively new option for Serbian authorities that has not yet been
tested in practice, to the best of our knowledge.
ELECTRONIC MARKETING
Electronic marketing is only mentioned in the DP Law in the context of the data subjects’ right of complaint. The rules on this
subject are envisaged by the Law on Electronic Trade (‘Official Gazette of the Republic of Serbia’, nos. 41/2009, 95/2013 and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Serbia 911 | | | www.dlapiperdataprotection.com
52/2019), EC Law (as defined above in the section on Breach Notification), the Law on Advertising (‘Official Gazette of the
Republic of Serbia’, nos. 6/2016 and 52/2019) and the Consumer Protection Law (Official Gazette of the Republic of Serbia, no.
88/2021) (together, the “Relevant Legislation”).
In brief, based on the Relevant Legislation, electronic marketing is only allowed if it is covered by an explicit, prior consent of the
person to whom the respective marketing is directed. Additionally, recipients should always be:
Clearly informed of the identity of the sender and commercial character of the communication (this information should be
provided in the Serbian language prior to commencing the marketing).
Provided with a way to opt out of future marketing messages, at any time and free of charge.
For the sake of completeness, it should be noted that, under the most recent changes from July 2019 of the aforementioned Law
on Electronic Trade, the same principle that previous consent is necessary for electronic marketing, i.e. for electronic commercial
communication, remained, but it is also envisaged now that certain types of electronic communication shall not be regarded as
commercial communication and, consequently, should not be subject to previous consent. Such exempt communications include
(1) providing information which enables direct access to business activities of a particular entity such as information on its
e-address or e-mail and (2) providing information on a particular entity’s goods, services or business reputation if such information
is obtained by research or in some other similar way and if it is provided free of charge.
Finally, it is also envisaged by the new Serbian Consumer Protection Law, as referred to above, which became applicable (with the
exception of some of its provisions) on 20 December 2021, that it is forbidden to make phone calls and/or send messages by
phone to any individuals/consumers whose phone numbers are inscribed in the register of consumers who do not want to receive
calls and/or messages as a part of a promotion and/or sales by phone. This register shall be public in its part relating to the phone
numbers and date of the inscription in the register. It should also be noted that, regardless of the inscription in this register,
consent of a consumer for direct marketing provided to a particular entity/trader before or after the inscription in the register,
remains valid until its withdrawal made in line with the DP Law.
ONLINE PRIVACY
There are no specific regulations explicitly governing online privacy (including cookies). Accordingly, the general data protection
rules, as introduced by the DP Law are, to the extent applicable, relevant for online privacy as well.
On the other hand, it should be noted that the EC Law, as defined in the section on Breach Notification above, introduces rules
on the processing of traffic data and location data, which are obligatory for entities which are the Operators (as defined above in
the section on Breach Notification) of public communication networks and publicly available electronic communication services.
Under these rules, these Operators are allowed to do the following:
Process traffic data only as long as such data is necessary for a communication’s transmission and thus, when such
necessity ceases to exist, the Operators are obliged (unless in the case when they have obtained prior consent of the data
subjects for using the respective data for marketing purposes) to delete such data or to keep the data only if they take
measures to make the data anonymous.
Generally process location data only if the persons to which the data relates are made unrecognizable or if they have such
persons’ prior consent for the purpose of providing them with value added services (but even if such consent does exist,
only in the scope and for the time during which the processing is needed for the respective purpose’s realization).
Violations are subject to the fines set forth in .Breach notification
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/serbia/breach-notification.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Serbia 912 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Karanovic & Nikolic
www.karanovic-nikolic.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Sanja Spasenović
Attorney at Law in cooperation with Karanovi & Partners
Karanovic & Partners
T +381 11 3094 200/ +381 11 3955 413
sanja.spasenovic@karanovicpartners.com
https://www.dlapiperdataprotection.com
http://www.karanovic-nikolic.com/
https://www.dlapiperdataprotection.com/scorebox/
https://www.karanovicpartners.com/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Seychelles 913 | | | www.dlapiperdataprotection.com
SEYCHELLES
Last modified 14 January 2020
LAW
The Data Protection Act (the ‘Act’) was enacted in 2003 (Act No. 9 of 2003) with the aim of protecting the fundamental privacy
rights of individuals against the use of data concerning them without their informed consent. The Act will come into operation on
such date as the Minister notifies in the official Gazette.
As of January 2020, the Act has not yet come into operation.
DEFINITIONS
Definition of personal data
Personal data is defined under the Act as data consisting of information which relates to a living individual who can be identified
from that information (or from that and other information in the possession of the data user), including any expression of opinion
about the individual but not any indication of the intentions of the data user in respect of that individual.
Definition of sensitive personal data
The Act does not define sensitive personal data. However the Act makes provision for the Minister to modify or supplement the
Data Protection Principles set out in the Act for the purpose of providing additional safeguards in relation to personal data
consisting of information as to:
the racial origin of the data subject
his political opinions or religious or other beliefs
his physical or mental health or his sexual life, or
his criminal convictions.
NATIONAL DATA PROTECTION AUTHORITY
The creation of the Office of the Data Protection Commissioner is envisaged by the Act but has not yet taken place.
REGISTRATION
A person shall not hold personal data unless an entry in respect of that person as a data user, or as a data user who also carries
on a computer bureau, is for the time being contained in the register of data users maintained by the Data Protection
Commissioner.
The particulars to be entered into the data register are as follows:
the name and address of the data user
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Seychelles 914 | | | www.dlapiperdataprotection.com
a description of the personal data to be held by it and of the purpose or purposes for which the data is to be held or used
a description of every source from which it intends or may wish to obtain the data or the information to be contained in
the data
a description of every person to whom it intends or may wish to disclose the data (otherwise than in cases of exemptions
from non-disclosure as set out in the Act)
the name of every country outside Seychelles to which it intends or may wish directly or indirectly to transfer the data,
and
one or more addresses for the receipt of requests from data subjects for access to the data.
A person applying for registration shall state whether he wishes to be registered as a data user, as a person carrying on a
computer bureau or as a data user who also carries on a computer bureau, and shall furnish the Data Protection Commissioner
with the particulars required to be included in the entry to be made in pursuance of the application. Where a person intends to
hold personal data for two or more purposes he may make separate applications for registration in respect of any of those
purposes.
A registered person may at any time apply to the Data Protection Commissioner for the alteration of any entries relating to that
person. Where the alteration would consist of the addition of a purpose for which personal data are to be held, the person may
make a fresh application for registration in respect of the additional purpose.
The Data Protection Commissioner shall, as soon as practicable and in any case within the period of 6 months after receiving an
application for registration or for the alteration of registered particulars, notify the applicant in writing whether his application has
been accepted or refused. Where the Commissioner notifies an applicant that his application has been accepted, the notification
must state the particulars which are to be entered in the register, or the alteration which is to be made, as well as the date on
which the particulars were entered or the alteration was made.
No entry shall be retained in the register after the expiration of the initial period of registration except in pursuance of a renewal
application made to the Data Protection Commissioner. The initial period of registration and the period for which an entry is to
be retained in pursuance of a renewal application (‘the renewal period’) shall be a period 5 years beginning with the date on which
the entry in question was made or, as the case may be, the date on which that entry would fall to be removed if the application
had not been made.
The person making an application for registration or a renewal application may in his application specify as the initial period of
registration or, as the case may be, as the renewal period, a period shorter than five years, being a period consisting of one or
more complete years.
DATA PROTECTION OFFICERS
The Act does not contain any legal requirement to appoint a data protection officer.
COLLECTION & PROCESSING
The data protection principles set out in the Act apply to personal data held by data users. Those data protection principles are as
follows:
the information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully
personal data shall be held only for one or more specified and lawful purposes
personal data held for any purpose or purposes shall not be used or disclosed in any manner incompatible with that
purpose or those purposes
personal data held for any purpose or purposes shall be adequate, relevant and not excessive in relation to that purpose
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Seychelles 915 | | | www.dlapiperdataprotection.com
or those purposes
personal data shall be accurate and, where necessary, kept up to date
personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those
purposes
an individual shall be entitled:
at reasonable intervals, and without undue delay or expenses to be informed by any data user whether he holds
personal data of which that individual is the subject
to access to any such data held by a data user, and
where appropriate, to have such data corrected or erased.
TRANSFER
If it appears to the Data Protection Commissioner that a person registered as a data user (or as a data user who also carries on a
computer bureau) intends to transfer personal data held by him to a place outside the Seychelles, the Data Protection
Commissioner may, if satisfied that the transfer is likely to contravene or lead to a contravention of any data protection principle,
serve that person with a transfer prohibition notice prohibiting him from transferring the data either absolutely or until he has
taken such steps as are specified in the notice for protecting the interests of the data subjects in question.
In deciding whether to serve a transfer prohibition notice, the Data Protection Commissioner shall consider whether the notice is
required for preventing damage or distress to any person and shall have regard to the general desirability of facilitating the free
transfer of data between the Seychelles and other states.
A transfer prohibition notice shall specify the time when it is to take effect and contain a statement of the principle or principles
which the Data Protection Commissioner is satisfied are contravened and his reasons for reaching that conclusion, as well as
particulars of the right of appeal conferred by the Act.
The Data Protection Commissioner may cancel a transfer prohibition notice by written notification to the person on whom it was
served.
No transfer prohibition notice shall prohibit the transfer of any data where the transfer of the information constituting the data is
required or authorised by or under any enactment or is required by any convention or other instrument imposing an international
obligation on the Seychelles.
Any person who contravenes a transfer prohibition notice shall be guilty of an offence but it shall be a defence for a person
charged with an offence under this subsection to prove that he exercised all due diligence to avoid a contravention of the notice in
question.
SECURITY
The Act provides that appropriate security measures shall be taken against unauthorised access to, or alteration, disclosure or
destruction of, personal data and against accidental loss or destruction of personal data.
BREACH NOTIFICATION
Breach notification
There is no mandatory requirement in the Act to report data security breaches or losses to the Data Protection Commissioner.
However, the Act provides that the Data Protection Commissioner may consider any complaint that any of the data protection
principles or any provision of this Act has been or is being contravened and shall do so if the complaint appears to him to raise a
matter of substance and to have been made without undue delay by a person directly affected.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Seychelles 916 | | | www.dlapiperdataprotection.com
Where the Data Protection Commissioner investigates any such complaint he shall notify the complainant of the result of his
investigation and of any action which he proposes to take.
Mandatory breach notification
None contained in the Act.
ENFORCEMENT
If the Data Protection Commissioner is satisfied that a registered person has contravened or is contravening any of the data
protection principles, the Data Protection Commissioner may serve that person with an enforcement notice requiring him to take
such steps for complying with the principle or principles in question. In deciding whether to serve an enforcement notice the Data
Protection Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress.
An enforcement notice in respect of a contravention of the data protection principle concerning data accuracy may require the
user to rectify or erase the data and any other data held by him containing an expression of opinion which appears to the Data
Protection Commissioner to be based on the inaccurate data.
If by reason of special circumstances the Data Protection Commissioner considers that the steps required by an enforcement
notice should be taken as a matter of urgency, he may include a statement to that effect in the notice.
The Data Protection Commissioner may cancel an enforcement notice by written notification to the person on whom it was
served.
Any person who fails to comply with an enforcement notice shall be guilty of an offences; but it shall be a defence for the person
charged with an offence under this subsection to prove that he exercised all due diligence to comply with the notice in question.
If the Data Protection Commissioner is satisfied that a registered person has contravened or is contravening any of the data
protection principles, the Commissioner may serve the person with a de-registration notice stating that the Data Protection
Commissioner proposes to remove from the register all or any of the particulars constituting the entry or any of the entries
contained in the register in respect of that person. In deciding whether to serve a de-registration notice, the Data Protection
Commissioner shall consider whether the contravention has caused or is likely to cause any person damage or distress, and the
Data Protection Commissioner shall not serve such a notice unless he is satisfied that compliance with the principle or principles
in question cannot be adequately secured by the service of an enforcement notice.
ELECTRONIC MARKETING
Although not specifically provided for in the Act, the latter will apply to most electronic marketing activities, as there is likely to be
processing and use of personal data involved (for instance, an email is likely to be considered as personal data for the purposes of
the Act).
ONLINE PRIVACY
The Act does not contain specific provisions in relation to online privacy.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Seychelles 917 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Juristconsult Chambers
www.juristconsult.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Shalinee Dreepaul Halkhoree
Partner-Barrister
Juristconsult Chambers
T +230 465 00 20 Extension 225
sdreepaul@juristconsult.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Singapore 918 | | | www.dlapiperdataprotection.com
SINGAPORE
Last modified 21 December 2021
LAW
Singapore enacted the Personal Data Protection Act of 2012 (No. 26 of 2012) ( ) on October 15, 2012. A draft Personal”Act”
Data Protection (Amendment) Bill ( ) was passed in the Singapore Parliament in November 2020.”Amendment Bill”
Certain sections of the Amendment Bill are now in force under the Personal Data Protection (Amendment) Act 2020 (as of
February 1, 2021). These include mandatory data breach notification, an expanded deemed consent framework, new exceptions to
the express consent requirement and new offences for the egregious mishandling of personal data or the unauthorized
re-identification of anonymized information. The sections on increased financial penalty and the right of data portability are
expected to come into force no earlier than February 1, 2022.
In addition, the Personal Data Protection (Notification of Data Breaches) Regulations 2021 and the Personal Data Protection
Regulations 2021 came in effect from October 1, 2021. The updates to these include, among other things, clarifications to the
scope of significant harm for mandatory data breach reporting and additional defences to the offence of egregious mishandling of
personal data.
The Act has extraterritorial effect, meaning it applies to organizations collecting, using or disclosing personal data in Singapore
whether or not the organization itself has a physical presence or is registered as a company in Singapore.
In addition to the Act, the Singapore data protection regime consists of various general or sector / industry-specific guidelines
issued by the Personal Data Protection Commission ( ). While these guidelines are advisory in nature and not”Commission”
legally binding, they indicate the manner in which the Commission will interpret the Act. Therefore, it is best practice to carefully
observe and follow these guidelines.
The data protection obligations under the Act do not apply to the public sector, to whom separate rules under the Government
Instruction Manual 8 ( ) and the Public Sector (Governance) Act apply. Collectively, these rules provide comparable”IM8″
standards of data protection compared to the Act, including similar investigations and enforcement actions taken against data
security breaches. The Public Sector Data Security Review Committee was convened on March 31, 2019 to conduct a
comprehensive review of data security policies and practices across the public sector. The Government implemented its
recommendations and adopted changes to its data security measures. Examples include:
Requiring officers to password-protect files containing sensitive data when sending out; and
Enhancing the data incident management framework with standardized process to notify affected individuals in data
incidents and conduct post-incident inquiry.
DEFINITIONS
Definition of personal data
Personal data is defined in the Act to mean data, whether true or not, about an individual (whether living or recently deceased )*
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Singapore 919 | | | www.dlapiperdataprotection.com
who can be identified from:
that data; or
that data and other information to which the organization has, or is likely to have access.
*The Act’s application to recently deceased individuals is limited to disclosure and protection of personal data where such
data is about an individual who has been deceased for ten years or fewer.
The data protection obligations under the Act do not apply to business contact information. This excludes from the Act the
following if provided solely for business purposes:
Name
Position name or title
Business telephone number
Business address
Business electronic mail address
Business fax number
It is important to note that the Act still governs business contact information provided by individuals solely in their personal
capacity. Where the purposes of provision of business contact information are mixed (that is, for both business and personal
purposes), the Act does not apply.
Definition of sensitive personal data
There is no definition of sensitive personal data in the Act.
However, non-binding guidance from the Commission indicates that sensitivity of data is a factor for consideration in implementing
policies and procedures to ensure appropriate levels of security for personal data. For example, encryption is recommended for
sensitive data stored in an electronic medium that has a higher risk of adversely affecting the individual should it be compromised.
Where any personal data collected is particularly sensitive ( regarding physical or mental health), as a matter of best practice,e.g.
such data should only be used for limited purposes and the security measures afforded to such data should take into account the
sensitivity of the data.
In addition, the non-binding guidelines issued by the Commission also provide that, in its calculation of financial penalties for
breaches of the Act, the Commission would consider whether the organization in question is in the business of handling large
volumes of sensitive personal data, the disclosure of which may cause exceptional damage, injury or hardship to an individual (such
as medical or financial data), but it has failed to put in place adequate safeguards proportional to the harm that might be caused by
disclosure of such personal data.
The Commission has also issued a set of advisory guidelines to impose restrictions on the collection, use and disclosure of
National Identification Registration Card (” “) numbers, due to the sensitive nature of the information contained in NRICsNRIC
(and other similar forms of identification). From September 1, 2019, organizations will not be permitted to collect either the NRIC
number or the physical cards or other similar forms of identification unless the organization is permitted to do so under the law
or if the collection is necessary for the verification of an individual’s identity to “high degree of fidelity” (where it is extremely
important the individual’s identity is verified, and failure to do so may, for example, pose a significant safety or security risk).
NATIONAL DATA PROTECTION AUTHORITY
Personal Data Protection Commission
Address
10 Pasir Panjang Road #03-01
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Singapore 920 | | | www.dlapiperdataprotection.com
Mapletree Business City
Singapore 117438
Telephone
+65 6377 3131
Fax
+65 6577 3888
info@pdpc.gov.sg
Website
www.pdpc.gov.sg
REGISTRATION
There are no registration requirements under the Act.
While not a requirement, the Commission strongly encourages organizations to register their Data Protection Officers (” “)DPOs
with the Commission via the Commission’s website, to assist DPOs in keeping up to date with developments in the law.
DATA PROTECTION OFFICERS
It is mandatory for each organization to appoint one or more DPOs to be responsible for ensuring the organization’s compliance
with the Act. An organization may appoint one person or a team of persons to be its DPO. Once appointed, the DPO may in turn
delegate certain responsibilities, including to non-employees of the organization. The business contact information of the DPO
must be made available to the public. The DPO’s contact information may be made available to the public either through BizFile+
(where the organisation is registered with the Accounting and Corporate Regulatory Authority) or provided in a readilywebsite
accessible part of the organization’s official website.
While there is no requirement for the DPO to be a citizen or resident in Singapore, the Commission suggests that the DPO
should be readily contactable from Singapore, available during Singapore business hours and, where telephone numbers are
provided, these should be Singapore telephone numbers.
Failure to appoint a DPO may lead to a preliminary investigation by the Commission. If an organization or an individual fails to
cooperate with the investigation, this will constitute an offence. As a result, an individual may be subject to a fine of up to SGD
10,000 or imprisonment for a term not exceeding 12 months, or to both. An organization may be subject to a fine of up to SGD
100,000.
COLLECTION & PROCESSING
Organizations may only collect, use or disclose personal data in the following scenarios:
They obtain express consent from the individual prior to the collection, use, or disclosure of the personal data (and such
consent must not be a condition of providing a product or service, beyond what is reasonable to provide such product or
service; and must not be obtained through the provision of false or misleading information or through deceptive or
misleading practices), and have also provided the relevant data protection notice (notifying purposes of collection, use and
disclosure) to the individual before, or at the time when they are collecting, using or disclosing the personal data
There is deemed consent by the individual to the collection, use, or disclosure of the personal data in accordance with the
relevant conditions of the Act.
Where the limited specific exclusions prescribed in the Act apply (if no consent or deemed consent is given). Such
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.comMAILTO:info@pdpc.gov.sg
http://www.pdpc.gov.sg/
https://www.bizfile.gov.sg
https://www.bizfile.gov.sg
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Singapore 921 | | | www.dlapiperdataprotection.com
exclusions include vital interests of individuals, matters affecting public, legitimate interests, business asset transactions,
business improvement purposes and other additional bases.
Such exclusions include vital interests of individuals, matters affecting public, legitimate interests, business asset transactions,
business improvement purposes and other additional bases.
The Act currently in force expanded the concept of “deemed consent” to cover circumstances where: (i) the collection, use or
disclosure of personal data is reasonably necessary to conclude or perform a contract or transaction; or (ii) (a) where individuals
have been notified of the purpose of the intended collection, use or disclosure of personal data, given a reasonable opportunity to
opt-out, and have not opted out, and (b) the organization has conducted an assessment on the likely adverse effect on such
individuals, and identified and put in place reasonable measures to eliminate, reduce the likelihood of or mitigate any such adverse
effect.
An individual may at any time withdraw any consent given, or deemed given under the Act, upon giving reasonable notice to the
organization.
Further, any collection, use or disclosure of the personal data must only be for the purposes that a reasonable person would
consider appropriate in the circumstances, and for purposes to which the individual has been notified of. Such notification must be
made in accordance with the requirements of the Act.
An organization must also do all of the following:
Make information about its data protection policies, practices and complaints process publicly available.
Cease to retain personal data or anonymize it where it is no longer necessary for any business or legal purpose.
Ensure personal data collected is accurate and complete if likely to be used to make a decision about the individual or
disclosed.
Respond to requests by data subjects under their statutory rights, including a new right of data portability (this right is
expected to come into force no earlier than February 1, 2022).
Data intermediaries that process personal data on behalf of another organization (i.e. data controller) pursuant to a written
contract are exempt from most of the data protection obligations under the PDPA. However, data intermediaries are directly
liable under two specific obligations relating to the retention (see above) and protection (see ) of personal data.Security
Data protection management program (” “) and data protection impact assessment (” “) guides were published by theDPMP DPIA
Commission in November 2017 and updated in September 2021.
TRANSFER
In disclosing or transferring personal data to onshore third parties (including affiliates), an organization should ensure that it has
obtained the individual’s deemed or express consent to such transfer (unless exemptions apply) and, if this was not done at the
time the data was collected, additional consent will be required (unless exemptions apply).
It is also a requirement under the Act for organizations to enter into written agreements with their data intermediaries to whom
they transfer personal data and who process such data on behalf of the organizations.
The Act also contains offshore transfer restrictions, which require an organization to ensure that the receiving organization has in
place “comparable protection” to the standards set out in the Act when transferring personal data outside of Singapore.
Mechanisms to achieve this include (this is not a comprehensive list): data transfer agreements (for which the Commission has
released including model clauses); the individual has given consent (and provided required notices have been provided); and where
transfers are considered necessary in certain prescribed circumstances (which include in connection with performance of
contracts between the transferring organization and the individual, subject to certain conditions being met). An organization may
apply to be exempted from any requirement prescribed under the Act in respect of any transfer of personal data out of Singapore.
An exemption may be granted on such conditions as the Commission may require.
The Amendment Act provides for a new right of data portability on electronic data (this right is expected to come into force no
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/singapore/security.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Singapore 922 | | | www.dlapiperdataprotection.com
earlier than February 1, 2022). Individuals may request an organization ( ) to transmit certain data about”Porting Organization”
them to another organization. The Porting Organization must have an ongoing relationship with the individual, and have collected
or created such data.
The Commission has published guides to data sharing (covering intragroup and third party sharing) with practical nonbinding
guidance on data transfer / sharing for organizations, as well as DPMP and DPIA guides (see ).Collection & Processing
SECURITY
Organizations must protect personal data in their possession or under their control by making reasonable security arrangements
to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal, the loss of any storage medium or
device on which personal data is stored, or similar risks. Data intermediaries are also directly liable and subject to the same
security obligation. The Act does not specify security measures to adopt and implement, however the Commission has issued best
practice guidance which provides specific examples, including with respect to cloud computing and IT outsourcing.
BREACH NOTIFICATION
Under the current Act, where an organization has reason to believe that a data breach affecting personal data in its possession or
under its control has occurred, it must conduct, in a reasonable and expeditious manner, an assessment of whether the data
breach is a “notifiable breach” (as defined in the current Act). A data breach constitutes a “notifiable breach” if:
it results in, or is likely to result in, significant harm to the affected individuals (including one that compromises personal
data prescribed under the ); orPersonal Data Protection (Notification of Data Breaches) Regulations 2021
it is of a significant scale (i.e. one that affects 500 or more individuals).
An organization must notify the Commission as soon as practicable and in any case no later than three calendar days after the day
the organization makes the above assessment of a notifiable breach. If the data breach results in, or is likely to result in, significant
harm to the affected individual(s), an organization must also notify each affected individual in any manner that is reasonable in the
circumstances.
The Personal Data Protection (Notification of Data Breaches) Regulations 2021 sets out the list of information to be included in
notifications to the Commission and affected individuals.
Where a data breach is discovered by a data intermediary, the data intermediary must notify the organization (i.e. data controller)
without undue delay from the time the data intermediary has credible grounds to believe that a data breach has occurred in
relation to personal data that it is processing on behalf of and for the purposes of the organization. Upon notification by the data
intermediary, the organization must conduct an assessment of whether the data breach is a notifiable data breach.
In addition, the Cybersecurity Act 2018 (” “) was passed in Singapore in early 2019. The CSA primarily contains obligationsCSA
applicable to organizations which have been designated as owners of critical information infrastructure. In particular, if your
organization has been designated by the Cybersecurity Commissioner as the owner of a critical information infrastructure,
additional obligations will apply to your organization in relation to data breach incident handling and notification.
ENFORCEMENT
Enforcement of the Act is carried out by the Commission, which include giving directions to do any of the following:
Stop collection, use or disclosure of personal data in contravention of the Act
Destroy personal data collected in contravention of the Act
Provide or refuse access to or correction of personal data
Pay a financial penalty, currently the maximum financial penalty is not exceeding SGD 1 million. However, once the section
on increased financial penalty of the Amendment Bill comes into force (no earlier than February 1, 2022), the penalty will
be increased to either up to (i) 10% of an organization’s annual turnover in Singapore for those with annual turnover that
exceeds SGD 10 million, or (ii) SGD 1 million, whichever is higher.
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/singapore/collection-and-processing.html
https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?DocDate=20210129
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Singapore 923 | | | www.dlapiperdataprotection.com
These directions may be registered with the Singapore District Courts so that they may have the force and effect of an order of
court.
The Commission issued revised on February 1, 2021.Advisory Guidelines on Enforcement of Data Protection Provisions
Further, new criminal offences are in force to hold individuals accountable for egregious mishandling of personal data, including
knowing or reckless unauthorized disclosure, unauthorized re-identification of anonymized data, or use of personal data for a gain
or to cause harm or loss to another person.
Guidelines published by the Commission indicate how in practice the Commission proposes to handle complaints, reviews and
investigations of breaches of the data protection rules under the Act, and to approach enforcement and sanctions. Amongst other
things, they set out the Commission’s enforcement objectives, and guidance regarding the mitigating and aggravating factors that
the Commission will take into account when issuing directions and sanctions (for example, prompt initial response and resolution
of incidents; cooperation with investigations; and breach notification). The Commission has in the past couple of years stepped up
its efforts to enforce the Act, highlighting the growing risks of non-compliance with the Act in Singapore.
Directions or decisions given are subject to reconsideration by the Commission, upon written application by any aggrieved party.
Directions, decisions or reconsiderations of the Commission may also be subject to appeal to a Data Protection Appeal
Committee, unless the direction or decision to be appealed is the subject of an application for reconsideration, in which case such
appeal would be deemed withdrawn.
Directions may only be appealed to the High Court and Court of Appeal with regard to the following:
A point of law arising from a direction or decision of the Appeal Committee
Any direction of the Appeal Committee as to the amount of a financial penalty
Any person who has suffered loss or damage directly as a result of a contravention of the Act is also entitled to pursue a private
action in court. However, where the Commission has made a decision with regard to the said loss or damage, a right of private
action will only be possible after the decision has become final as a result of there being no further right of appeal. The court may
grant to the plaintiff all or any of the following:
Relief by way of injunction or declaration
Damages
Such other relief as the court thinks fit
ELECTRONIC MARKETING
The data protection principles in the Act apply to any marketing activities (including electronic marketing) which involve the
collection, use or disclosure of personal data.
In addition, any organization or person that wishes to engage in any telemarketing activities will need to comply with the “Do Not
Call” provisions under the Act. Generally, a person or organization who wishes to send marketing messages to a Singapore
telephone number should first obtain the clear and unambiguous consent of the individual to the sending of the messages to such
Singapore telephone number. The consent must:
be evidenced in written or other form so as to be accessible for subsequent reference;
not be a condition for supplying goods, services, land, interest or opportunity; and
not be obtained through the provision of false or misleading information or through deceptive or misleading practices.
In the absence of such consent, organizations must check and ensure that the telephone number is not on a Do-Not-Call register
maintained by the Commission ( ), unless such checks are exempted under the Act. There are also other”DNC Register”
requirements, including a duty to identify the sender of the marketing message and provide clear and accurate contact information,
as well as a duty not to conceal the calling line identity of any voice calls containing such marketing messages. An individual may at
any time apply to the Commission to add or remove his Singapore telephone number on the DNC Register.
https://www.dlapiperdataprotection.com
https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-on-Enforcement-of-DP-Provisions-1-Feb-2021 ?la=en
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Singapore 924 | | | www.dlapiperdataprotection.com
Further, the current Act provides the role of “checkers” which are entities that provide information for gain on whether a
Singapore telephone number is listed in the DNC Register for the purposes of another organization’s obligations under the Act. It
imposes obligations on third party checkers, and checkers will be liable for DNC infringements resulting from any erroneous
information provided by them.
The Act will apply to marketing messages addressed to a Singapore telephone number in the following circumstances:
The sender of the marketing message is present in Singapore when the message was sent.
The recipient of the marketing message is present in Singapore when the message is accessed.
Electronic marketing activities are also regulated under the Spam Control Act (Cap 311A) ( ), to the extent that such”SCA”
activities involve the sending of unsolicited commercial communications in bulk by electronic mail or by SMS or MMS to a mobile
telephone number.
The DNC provisions under the current Act include a prohibition on sending messages to telephone numbers generated or
obtained through dictionary attacks (generating telephone numbers by combining numbers into numerous permutations) or
address-harvesting software. Related amendments to the SCA to prohibit sending unsolicited electronic messages to instant
messaging accounts are also in force.
The Commission issued the revised on February 1, 2021.Advisory Guidelines on the Do Not Call Provisions
ONLINE PRIVACY
Currently, there are no specific requirements relating to online privacy (including cookies and location) under the Act.
Nevertheless, an organization that wishes to engage in any online activity that involves the collection, use or disclosure of personal
data will still need to comply with the general data protection obligations under the Act. For example, if an organization intends to
use cookies to collect personal data, it must obtain consent before use of any such cookies. For details of the consent required,
please see . The Commission has published nonbinding guidelines providing practical tips on pertinentCollection & Processing
topics such as securing electronic personal data, building websites, the capture of IP addresses and the use of cookies.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Carolyn Bigg
Partner, Global Co-Chair of Data Protection, Privacy and Security Group
T +852 2103 0576
carolyn.bigg@dlapiper.com
Yue Lin Lee
Senior Associate
T +852 2103 0890
yuelin.lee@dlapiper.com
Jing Qin Cho
Registered Foreign Lawyer (Singapore)
T +852 2103 0410
jingqin.cho@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/Advisory-Guidelines-on-the-DNC-Provisions-1-Feb-2021 ?la=en
https://www.dlapiperdataprotection.com/countries/singapore/collection-and-processing.html
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Singapore 925 | | | www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sint Maarten 926 | | | www.dlapiperdataprotection.com
SINT MAARTEN
Last modified 21 December 2021
LAW
National ordinance personal data protection , National Gazette 2010,(Landsverordening bescherming persoonsgegevens
Consolidated text no. 2) “(National Ordinance Personal Data Protection”);
General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on
May 25, 2018 – may have implications for a data controller / data processor as the extra-territorial reach of the GDPR is
not only relevant to businesses established in the European Union but also to international businesses established in Sint
Maarten which offer goods or services to individuals in the European Union or monitor their behaviour in the European
Union.
DEFINITIONS
Definition of Personal Data
National Ordinance Personal Data Protection
According to the Explanatory Memorandum on the National Ordinance Personal Data Protection the term personal data has a
broad meaning. This does not only concern data that can identify a person, but concerns any data that can be associated with a
particular person; it is foreseeable that under certain circumstances data can be traced to one person through systematic
comparison and lengthy investigations. Personal identifiable confidential data is therefore not only limited to home address, email
address, telephone number, membership number and/or identity number.
GDPR
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one
who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.
Definition of Sensitive Personal Data
National Ordinance Personal Data Protection
A person’s religion or belief, race, political views, health, sexual life as well as personal data concerning membership of a trade
union.
GDPR
Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic
data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sint Maarten 927 | | | www.dlapiperdataprotection.com
NATIONAL DATA PROTECTION AUTHORITY
National Ordinance Personal Data Protection
The Personal Data Protection Committee as referred to in article 42 of the National Ordinance Personal Data Protection.
GDPR
An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The
authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of
natural persons in relation to processing and to facilitate the free flow of personal data within the EU.
REGISTRATION
National Ordinance Personal Data Protection
No registration required.
GDPR
Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data
processing activities carried out by the company.
DATA PROTECTION OFFICERS
National Ordinance Personal Data Protection
Pursuant to article 13 of the National Ordinance Personal Data Protection the responsible party shall execute appropriate
technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures
shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view
of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at
preventing unnecessary gathering and further processing of personal data.
Besides the measures above, the National Ordinance Personal Data Protection does not contain any clauses on any type of
registration, filings of documents to any public agency or having a mandatory data protection officer in place.
GDPR
The appointment of a data protection officer under the GDPR is only mandatory in three situations:
When the organisation is a public authority or body;
If the core activities require regular and systematic monitoring of data subjects on a large scale; or
If the core activities involve large scale processing of special categories of personal data and data relating to criminal
convictions.
COLLECTION & PROCESSING
National Ordinance Personal Data Protection
Collection: a natural or legal person, public authority, agency or other body which who has control over a person registration.
Processor: a natural or legal person, public authority, agency or other body which who owns all or part of the has equipment in
his possession, with which a personal registration of which he is not the holder.
GDPR
Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sint Maarten 928 | | | www.dlapiperdataprotection.com
purposes, like a website that markets to users based on their online behaviour.
Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the
controller. Processors act on behalf of the relevant controller and under their authority.
TRANSFER
National Ordinance Personal Data Protection
Contains no clauses.
GDPR
The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the
rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions
applies.
SECURITY
National Ordinance Personal Data Protection
Pursuant to article 13 of the National Ordinance Personal Data Protection the responsible party shall execute appropriate
technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures
shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view
of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at
preventing unnecessary gathering and further processing of personal data.
GDPR
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as
well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor
shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32
GDPR).
BREACH NOTIFICATION
National Ordinance Personal Data Protection
Contains no specific clauses.
GDPR
In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after
having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55
GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
ENFORCEMENT
National Ordinance Personal Data Protection
Pursuant to article 60 the responsible party who acts in contravention of the provisions of the National Ordinance Personal Data
Protection may be penalized by the Sint Maarten committee of data protection with a financial penalty in the minimum amount of
Naf. 1,000 (USD 571.43) maximum amount of Naf. 500,000.00 (USD. 277,777.78).
GDPR
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sint Maarten 929 | | | www.dlapiperdataprotection.com
The GDPR holds a variety of potential penalties for businesses.
For example, article 77 of GDPR states that:
“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her
habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data
relating him or her infringes this Regulation.”
Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the
data subject has his or her habitual residence.”
Penalties
Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in article 82 of the Regulation,
for the damage they’ve“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation”
suffered.
Fines
Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the
level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur
administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is
greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover).
Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional
penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only
guidelines in article 84 of GDPR are that and that “Such penalties shall be effective, proportionate and dissuasive” “Each Member State
shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”
ELECTRONIC MARKETING
National Ordinance Personal Data Protection
N/A.
GDPR
Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.
Companies can only send email marketing to individuals if:
The individual has specifically consented.
They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.
ONLINE PRIVACY
National Ordinance Personal Data Protection
Contains no specific clauses.
GDPR
Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do
have a right to process their users’ data as long as they receive consent or if they have a legitimate interest.
Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a
person.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sint Maarten 930 | | | www.dlapiperdataprotection.com
If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is
processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from
others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address
etc. are not known.
KEY CONTACTS
HBN Law & Tax
hbnlawtax.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Maarten Willems
Senior Associate
HBN Law & Tax
T +297 588 6060
maarten.willems@hbnlawtax.com
Misha Bemer
Partner
HBN Law & Tax
T +297 588 6060
misha.bemer@hbnlawtax.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 931 | | | www.dlapiperdataprotection.com
SLOVAK REPUBLIC
Last modified 17 January 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on
25 May 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
As a member of the European Union, Slovakia is bound by the Regulation (EU) 2016/679 of the European Parliament and
of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and
on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR
“).
Furthermore, Slovakia adopted Act No. 18/2018 Coll. on the protection of personal data and on amending and
supplementing certain acts (the ” “) implementing the GDPR, which became effective as ofSlovak Data Protection Act
25 May 2018.
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 932 | | | www.dlapiperdataprotection.com
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
The definitions provided by the GDPR apply.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (similar to the CNIL
in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the GDPR.
The GDPR creates the concept of ” .” Where there is cross-border processing of personal data (lead supervisory authority ie
, processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by, and answer to, the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority.”
However, the lead supervisory authority is required to cooperate with all other concerned authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory. The concept of lead supervisory authority is therefore of somewhat limited use to multinationals.
The Data Protection Office of the Slovak Republic (the ‘Slovak Office’) is:
Úrad na ochranu osobných údajov Slovenskej republiky (Official Slovak Name)
Hraniná 12
820 07, 27Bratislava
Slovak Republic
The Slovak Office is the supervisory authority and is responsible for overseeing the Slovak Data Protection Act and the
GDPR in Slovakia.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 933 | | | www.dlapiperdataprotection.com
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
There is no registration or notice obligation to the Slovak Office as supervisory authority required anymore.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
There is an online form on the website of the Slovak Office which should be completed in order to notify the supervisory
authority of the appointment of a DPO.
COLLECTION & PROCESSING
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 934 | | | www.dlapiperdataprotection.com
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be:
Processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”)
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”)
Adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
Accurate and where necessary kept up to date (the “accuracy principle”)
Kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”)
Processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”)
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to
compliance for potentially years after a particular decision relating to processing personal data was rendered.demonstrate
Record-keeping, auditing and appropriate governance will all play a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
With the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time)
Where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract
Where necessary to comply with a legal obligation (of the EU) to which the controller is subject
Where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies)
Where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller
Where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks)
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
With the explicit consent of the data subject
Where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement
Where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent
In limited circumstances by certain not-for-profit bodies
Where processing relates to the personal data which are manifestly made public by the data subject
Where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 935 | | | www.dlapiperdataprotection.com
Where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards
Where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services
Where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices
Where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1)
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorized by Member State domestic law. (Article 10).
Processing for a Secondary Purpose
Increasingly, organisations wish to re-purpose personal data – use data collected for one purpose for a new purpose which wasie,
not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of
purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
Any link between the original purpose and the new purpose
The context in which the data have been collected
The nature of the personal data, in particular whether special categories of data or data relating to criminal convictions
are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
The possible consequences of the new processing for the data subjects
The existence of appropriate safeguards, which may include encryption or pseudonymisation
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
The identity and contact details of the controller
The data protection officer’s contact details (if there is one)
Both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing
The recipients or categories of recipients of the personal data
Details of international transfers
The period for which personal data will be stored or, if that is not possible, the criteria used to determine this
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 936 | | | www.dlapiperdataprotection.com
The existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability
Where applicable, the right to withdraw consent, and the right to complain to supervisory authorities
The consequences of failing to provide data necessary to enter into a contract
The existence of any automated decision making and profiling and the consequences for the data subject
In addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
The Court of Justice of the European Union delivered two judgments on 24 September 2019 in case of ‘Right to be
forgotten’.
The first decision of the CJEU provides important explanations on the conditions under which persons may delete a link
found in a search result if the linked page contains information related to sensitive information (such as their religion, their
political opinion or the existence of a conviction for crime). It also provides useful information about the public’s interest
in accessing information that has become incomplete or outdated due to the passage of time (Judgment of the CJEU in
Case C-136/17).
In its second decision, the CJEU decided on the geographical scope of the right to remove links from search results after
entering the first name and last name. The CJEU limits the effect of the right of removal from search results to results
from European territory only – in other words, removing results in the EU but not worldwide. Search results will
therefore remain accessible based on searches conducted outside the European Union. (Judgment of the CJEU in Case
C-507/17).
Right to restriction of processing (Article 18)
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 937 | | | www.dlapiperdataprotection.com
1.
2.
3.
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format ( , commonly used file formats recognised by mainstream software applications, such as .xsl).eg
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
Necessary for entering into or performing a contract
Authorised by EU or Member State law
The data subject has given their explicit ( , opt-in) consentie
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Collection and processing of personal data is governed by the GDPR.
However, there is specific regulation in this respect in the fourth part of the Slovak Data Protection Act. Pursuant to
Section 78 of the Slovak Data Protection Act, these specific situations are as follows:
A controller may process personal data without the consent of a data subject if the processing of personal data is
necessary for academic, artistic or for literary purposes;
A controller may process personal data without the consent of a data subject if the processing of personal data is
necessary for the purposes of informing the public by means of mass media and if the personal data are processed
by a controller which is authorised to do such business activity;
A controller who is the employer of a data subject is authorized to provide his / her personal data or to make
public his / her personal data in the scope of academic title, name, surname, position, personal employee´s
number, department, place of work performance, telephone number, fax number, work email address and the
identification details of employer, if this is necessary in connection with the performance of the employment
duties of a data subject. Such provision of personal data or making them public shall not interfere with the
reputability, dignity and security of a data subject;
In the processing of personal data, a birth number may be used for the purpose of identifying a natural person
only if its use is necessary for the purpose of processing. A data subject shall grant the explicit consent. Processing
of a birth number on the legal basis of consent of a data subject shall not be excluded by a special regulation.
Making public a birth number is prohibited; this does not apply if a data subject makes public a birth number;
A controller may process genetic, biometric and health-related data on the legal basis of a special regulation or an
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 938 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
international treaty to which the Slovak Republic is bound;
Personal data on the data subject may be obtained from another natural person and processed in the information
system with the prior written consent of data subject only; this does not apply if another natural person by
providing personal data about the data subject to the information system, protects his own rights or legally
protected interests, reports the facts that justify the application of legal liability of the data subject or personal
data are processed on the basis of a special act. Upon request of Office, the person who processes such personal
data must be able to prove to the Office that he/she has obtained personal data in accordance with this act.
If a data subject is dead, the consent required may be given by a close person. The consent is not valid if at
least one close person has disagreed in writing.
If a data subject is dead, the consent required may be given by a close person. The consent is not valid if at
least one close person has disagreed in writing.
When processing personal data for archiving, scientific purposes, historical research or statistical purposes, the
controller and the intermediary are obliged to accept adequate guarantees for the rights of the data subject.
These guarantees shall include the establishment of adequate and effective technical and organizational measures,
in particular to ensure compliance with the principles of data minimization and pseudonymisation. This does not
apply to the processing of personal data of deceased persons.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, Eastern Republic of Uruguay, New Zealand and the United
Kingdom.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules and standard contractual clauses. The GDPR has removed
the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of
standard contractual clauses from supervisory authorities.
The GDPR (Article 49) also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 939 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
no other legal basis for transfer will infringe the GDPR.
Pursuant to the GDPR, the free movement of personal data between the Slovak Republic and EU Member States is
guaranteed; the Slovak Republic shall not restrict or prohibit the transfer of personal data in order to protect the
fundamental rights of natural persons, in particular their right to privacy in connection with the processing of their
personal data.
The transfer of personal data to third countries or international organisations is governed by the GDPR.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
Controllers and processors shall implement appropriate technical and organisational measures to ensure a level of security
appropriate to the risk. The rights and obligations in regard to the security of personal data are governed by the GDPR.
In this respect, the Slovak Office issued Decree No. 158/2018 Coll. on Procedure when Assessing the Impact on the
Protection of Personal Data as of 29 May 2018.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A personal data breach is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed.” (Article 4).
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay. (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach. (Article 33(2)).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 940 | | | www.dlapiperdataprotection.com
The notification to the supervisory authority must include where possible:
The categories and approximate numbers of individuals and records concerned
The name of the organisation’s data protection officer or other contact
The likely consequences of the breach and the measures taken to mitigate harm
The measures taken or proposed to be taken by the controller to address the personal data breach, including, where
appropriate, measures to mitigate its possible adverse effects.
Controllers are also required to keep a record of all data breaches (whether or not notified to the supervisory authority) and
permit audits of the record by the supervisory authority.
Breach notifications are governed by the GDPR.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 941 | | | www.dlapiperdataprotection.com
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
The Slovak Office has various powers to ensure compliance with the Slovak Data Protection Act and the GDPR.
For example, the Slovak Office is entitled to:
on request, provide information to a data subject in relation to the exercise of her / his rights;
order a controller or a processor to provide the necessary information;
order a data controller to notify a data subject of a personal data breach;
enter the premises of a controller or a processor;
impose a corrective measure or a fine.
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation, however, the EU states have not yet been able to agree on the draft legislation. In the meantime, GDPR Article 94
makes it clear that references to the repealed Directive 95/46/EC shall be construed as references to the GDPR.. As such,
references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR standard for
consent.
In general, unsolicited electronic marketing requires prior opt-in consent. The opt-in requirement is waived under the ‘same
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 942 | | | www.dlapiperdataprotection.com
service/product’ exemption. The exemption concerns marketing emails related to the same products/services as previously
purchased from the sender by the user provided that:
the user has been informed of the right to opt-out prior to the first marketing email
the user did not opt-out, and
the user is informed of the right to opt-out of any marketing email received. The exemption applies to electronic
communication such as electronic text messages and email but does not apply with respect to communications sent by
fax.
Direct marketing emails must not disguise or conceal the identity of the sender.
Pursuant to the GDPR, where personal data are processed for direct marketing purposes, the data subject shall have the
right to object at any time to the processing of personal data concerning him or her for such marketing, which includes
profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct
marketing purposes, the personal data shall no longer be processed for such purposes.
Electronic marketing shall be in particular governed by Act No. 351/2011 Coll. on Electronic Communications, as
amended (the ” “).ECA
Under the ECA, processing of the traffic data of a subscriber or user for the purposes of marketing services or
the purposes of ensuring value added services by any public network or service providers is possible solely with the prior
consent of the subscriber or the user. Prior to obtaining the consent, the public network or service providers are obliged
to inform the subscriber or user on:
the type of the traffic data processed;
the purpose of the traffic data processing, and
the duration of the data processing.
For the purposes of direct marketing, the call or use of automatic calls and communications systems without human
intervention, facsimile machines, e-mail, including SMS messages to the subscriber or user, who is a natural person, is
allowed solely with his/her prior consent. Such consent must be provable. Users or subscribers are entitled to withdraw
such consent at any time.
The prior consent of the recipient of a marketing e-mail shall not be required in the case of direct marketing of similar
products and the services of a person, that has obtained electronic contact information of the recipient from the previous
sale of its own product and/or service to such recipient and in line with the provisions of the ECA.
The recipient of an e-mail shall be entitled to refuse at anytime, by simple means and free, of charge such use of electronic
contact information at the time of its collection and on the occasion of each message delivered where the recipient has
not already refused such use.
Both,
sending e-mails for the purposes of direct marketing without the determination of a valid address to which the
recipient may send a request that he/she is no longer willing to receive such communication, and
encouragement to visit a website in contradiction with a special regulation,
shall be prohibited.
New Act No. 452/2021 Coll. on Electronic Communications (the ) will take effect on 1 February 2022 and replace”Act”
the ECA. Among other things, the new Act is intended to strengthen the protection of personal data in connection with
use of electronic communications services by introducing sanctions for unauthorized use of Cookies, which have been
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 943 | | | www.dlapiperdataprotection.com
lacking in the ECA.
ONLINE PRIVACY
As regards the protection of privacy and protection of personal data processed in the electronic communications sector, the
provisions of the ECA (Act No. 351/2011 Coll. on e-communications) shall apply. The ECA implemented e.g. Directive
2002/58/EC (as amended by Directive 2009/136/EC).
Under the ECA, the public network or service provider is obliged to ensure technically and organisationally the confidentiality of
the communications and related traffic data, which are conveyed by means of its public network and public services. In particular
recording, listening, or storage of data (or other kinds of an interception or a surveillance of communications and data related
thereto) by persons other than users, or without the consent of the concerned users, shall be prohibited. However, this does not
prohibit the technical storage of data, which is necessary for the conveyance of communications. However, the principle of
confidentiality shall still apply.
Further to this, the network or service provider (‘undertaking company’) shall not be held liable for the protection of the
conveyed information if such information can be directly listened to or obtained at the location of the broadcasting and/or
reception.
However, this ban does not apply to temporary recording and storing of messages and related traffic data if it is required:
for the provision of value added services ordered by a subscriber or user;
to prove a request to establish, change or withdraw the service, or
to prove the existence or validity of other legal acts, which the subscriber, user or undertaking company has made.
Article 5 (3) of Directive No. 2002/58/EC of the European parliament and of the Council on concerning the processing of personal
data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
was implemented into Section 55 of the ECA. Under Section 55 (5) of the ECA: “every person that stores or gains access to
information stored in the terminal equipment of a user shall be authorised for that only if the user concerned has given his consent on the
basis of clear and comprehensive information about the purpose of the processing; this shall not prevent any technical storage of data or
access hereof for the sole purpose of the conveyance or facilitation of the conveyance of a communication by means of a network or if strictly
necessary for the provider of an information society service to provide information society services if explicitly requested by the user.”
Processing of cookies requires an opt-in consent of the user. The consent to cookies must be based on provision of
comprehensive information on the data processing. The best practice is to provide the user with clear and comprehensive
information about all processed cookies including those that are strictly necessary.
Cookies that are strictly necessary in order to provide the information society service (explicitly requested by the user), i.e.
required only for the functioning of the website, may be processed without a user’s consent (strictly necessary exemption).
Traffic Data
Traffic Data can only be processed for the purpose of the conveyance of a communication on an electronic
communications network or for the invoicing thereof. The Traffic Data related to subscribers or users may not be stored
without the consent of the person concerned and the undertaking company is required, after the end of a communication
transmission, without delay, to destroy or make anonymous such Traffic Data, except as provided otherwise by the ECA.
If it is necessary for the invoicing of the subscribers and network interconnection payments, the undertaking company is
required to store the Traffic Data until the expiration of the period during which the invoice may be legally challenged or
the claim for the payment may be asserted. The undertaking company is required to provide the Traffic Data to the Office
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovak Republic 944 | | | www.dlapiperdataprotection.com
of Electronic Communication and Postal Services or the court in the case of a dispute between undertaking companies or
between an undertaking company and a subscriber. The scope of the stored Traffic Data must be limited to the minimum
necessary.
Location Data
The undertaking company may process the Location Data other than the Traffic Data which relates to the subscriber or
the user of a public network or public service only if the data are made anonymous or the processing is done with user
consent, and in the scope and time necessary for the provision of the value added service. The undertaking company must,
prior to obtaining consent, inform the subscriber or user of the Location Data other than Traffic Data which will be
processed, on the type of Location Data to be processed, on the purpose and duration of the processing, and whether the
data will be provided to a third party for the purpose of the provision of the value added service. The subscriber or user
may revoke its consent for the processing of Location Data at any time.
Following the Judgment of the Court of Justice of the European Union on 8 April 2014 in the joined cases of Digital Rights
Ireland (C-293/12) and (C-594/12) which cancelled so called “data retention” DirectiveKärtner Landesregierung
2006/24/EC, the Constitutional Court of Slovak Republic on 29 April 2015 issued a Judgement (PL. ÚS 10/2014-78) (
) upon which the Constitutional Court proclaimed the certain provisions of the ECA to be non-compliant”Judgement”
with the provisions of the Constitution of Slovak Republic, provisions of the Charter of Fundamental Rights and Freedoms
and with the provisions of the Convention for the Protection of Human Rights and Fundamental Freedoms. Upon the
Judgment, the obligation of the telecommunications operators to retain the Traffic Data and Location Data about the
electronic communication of all citizens for the prescribed period (6/12 months) was abolished and removed from the
ECA.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
JUDr. Dr. Michaela Stessl
Country Managing Partner
T +421 2 59202 122
michaela.stessl@dlapiper.com
Eva Skottke
Senior Associate
T +421 2 59202 111
eva.skottke@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovenia 945 | | | www.dlapiperdataprotection.com
SLOVENIA
Last modified 17 January 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two year transition period, became directly applicable in all Member States of the European Union on 25
May 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by the GDPR where Member States are permitted to legislate differently in
their own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices
among the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
(Article 3(2)(a)) (no payment is required) to such data subjects in the EU or offering of goods or services” “the monitoring of their
(Article 3(2)(b)) as far as their behavior takes place within the EU.behavior”
The new Slovenian Data Protection Act (ZVOP-2) that will implement certain aspects of the GDPR has not been adopted,
but is – as of January 2022 – still in the legislative process.
The current draft mostly follows the GDPR and only amends a few aspects, mostly of a systemic and procedural nature
and adds some provisions in areas where GDPR allows to do so. Following some concerns expressed from academia and
other stakeholders on the previous version, the draft has undergone several revisions. The current draft consequently
brings a better alignment of the proposal with the provisions of the GDPR. Despite the initial intention that ZVOP-2 will
implement both (i) the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of
the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on
the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, and (ii) the GDPR, it is now
clear that ZVOP-2 will only serve as an implementing tool with regard to the GPDR.
With respect to the implementation of the Directive 2016/680, Slovenian legislator has enacted a specific legal act, namely
the Slovenian Act on the Protection of Personal Data in the Area of Treatment of Criminal Offences (Zakon o varstvu
Official Gazette no. 177/20; ZVOPOKD) which has entered intoosebnih podatkov na podroju obravnavanja kaznivih dejanj,
force on 31 December 2020.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovenia 946 | | | www.dlapiperdataprotection.com
DEFINITIONS
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (i.e.lead supervisory authority
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovenia 947 | | | www.dlapiperdataprotection.com
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have (Article 37(5)) of data protection law and practices, though it is possible to outsource the”expert knowledge”
DPO role to a service provider (Article 37(6)).
It should be noted that ZVOP-2 is expected to lay down additional and more specific requirements for appointment of
DPOs regarding the level of professional qualification and the required work experience. Additional conditions will also
vary depending on whether the DPO will work in a public authority, public sector (other than public authority) or in the
private sector.
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovenia 948 | | | www.dlapiperdataprotection.com
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organisations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovenia 949 | | | www.dlapiperdataprotection.com
processing genetic data, biometric data and health data.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorised by Member State domestic law (Article 10).
Processing for a Secondary Purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – i.e. use data collected for one purpose for a new purpose which
was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle
of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovenia 950 | | | www.dlapiperdataprotection.com
a.
b.
c.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorised by EU or Member State law; or
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovenia 951 | | | www.dlapiperdataprotection.com
c.
a.
b.
c.
d.
e.
f.
g.
a.
the data subject has given their explicit (i.e. opt-in) consent.
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Japan, Republic of Korea, United Kingdom (under the GDPR and
the Law Enforcement Directive), Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules and standard contractual clauses. The GDPR has removed
the need which existed in some Member States under the previous law to notify and in some cases seek prior approval of
standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovenia 952 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovenia 953 | | | www.dlapiperdataprotection.com
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
It should be noted that the Slovenian Information Commissioner still cannot impose any fines on (Informacijski pooblašenec)
the basis of the GDPR until ZVOP-2 is not adopted. The fines may, however, be issued on the basis of pre-GDPR
legislation which to a significant extend overlaps with the GDPR.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon,
the strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and merelynot
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovenia 954 | | | www.dlapiperdataprotection.com
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is to be replaced
by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has discarded its
draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In the meantime,
GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR.
As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with the GDPR
standard for consent.
Direct marketing by means of electronic communications is regulated by the Consumer Protection Act (Zakon o varstvu
Official Gazette 98/04 et seq.), the Electronic Commerce Market Act Officialpotrošnikov, (Zakon o elektronskem poslovanju na trgu,
Gazette 19/15), the Electronic Communications Act Official Gazette no. 109/12 et seq.) and(Zakon o elektronskih komunikacijah,
the Personal Data Protection Act. It is worth mentioning that as at January 2022, a draft proposal for a new Electronic
Communications Act (ZEKom-2) has been published by the competent ministry which seeks to replace the current ZEKom-1 and
implement the Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the
European Electronic Communications Code, meaning a new act can be expected in the near future.
The consent of an individual is required for the purposes of electronic marketing. Direct marketing is allowed where the “similar
service/product” exemption applies, however customers must be given clear and distinct opportunity to refuse the use of their
electronic mail address at the time of the collection of these contact details, and on the occasion of every message in the event
that the customer has not initially refused such use. Additionally, the sending of electronic mail for the purposes of direct
marketing, which disguises or conceals the identity of the sender, or is sent without a valid address, is prohibited.
ONLINE PRIVACY
Traffic data
Traffic Data must be erased or made anonymous as soon as it is no longer needed for the purpose of the transmission of a
communication, except in cases where a longer period of retention is statutory allowed. Nevertheless, an operator may, until
complete payment for service is made but no later than by expiry of the limitation period, retain and process traffic data required
for the purposes of calculation and of payment relating to interconnection.
Location data
Location Data may only be processed for the purposes of providing the value-added service and when it is made anonymous, or
with the prior consent of the user or subscriber, who may withdraw this consent at any time. Prior to issuing consent, a user or
subscriber must be informed on (i) the possibility of refusing consent, (ii) the type of data to be processed, (iii) the purpose and
duration of processing, and (iv) the possibility of the transmission of location data to a third party for the purpose of providing the
value-added service.
Cookie compliance
The Electronic Communications Act (ZEKom-1) provides rules on the usage of cookies and similar technology for data storage.
Pursuant to ZEKom-1 the retention of information or the gaining of access to information stored in a subscriber’s or user’s
terminal equipment (cookies) is only permitted if the subscriber or user gave their informed consent after having been given clear
and comprehensive information about the information manager and the purpose of the processing of this information. However,
an exception is provided in case of carrying out the transmission of a communication over an electronic communications network,
or if this is strictly necessary for provision of service of information society explicitly requested by the subscriber or user.
In the near future, it is to be expected that the new ZEKom-2 will come in force and provide further regulation of the realm at
hand.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Slovenia 955 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dr. Jasna Zwitter-Tehovnik
Partner
T +43 1 531 78 1042
jasna.zwitter-tehovnik@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Africa 956 | | | www.dlapiperdataprotection.com
SOUTH AFRICA
Last modified 20 December 2021
LAW
The right to privacy is recognized as a fundamental human right in the Bill of Rights of the Constitution of the Republic of South
Africa and is protected in terms of the Constitution and the common law. This right to privacy is not absolute and may be limited
where it is reasonable and justifiable to do so.
The Protection of Personal Information Act 4 of 2013 (POPIA) came into effect on 1 July 2020, but there was a one year grace
period within which to comply with POPIA. It is now almost fully in force (see below). POPIA specifically regulates the processing
of personal information that is entered into a record pertaining to natural living persons as well as existing legal persons.
Recent developments
POPIA came into force on 1 July 2020 but was subject to a 12 month grace period, which ended on 30 June 2021. POPIA is now
accordingly in force in its entirety save for the provisions regarding prior authorization, which will only come into effect on 1
February 2022. This means that all responsible parties (i.e. data controllers) that conduct processing activities that are subject to
prior authorization will need to submit an application for prior authorization by 1 February 2022 and will need to cease such
processing activities until such time as prior authorization is obtained. A number of guidance notes were issued by the Information
Regulator during 2021, as follows:
Guidance Note on Applications for Prior Authorisation;
Guidance Note on Information Officers and Deputy Information Officers;
Guidance Note on Exemptions from the Conditions for Lawful Processing;
Guidance Note on Processing of Special Personal Information; and
Guide on how to use the Promotion of Access to Information Act, 2000 and exemption of certain bodies from having a
PAIA Manual.
DEFINITIONS
Definition of personal data
“Personal information” is defined in POPIA as information relating to an identifiable, living, natural person, and where applicable, an
identifiable, existing, juristic person, including:
Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin; color, sexual
orientation, age, physical or mental health, well-being, disability, religion, conscience, belief; culture, language and birth of
the person
Information relating to the education, medical, financial, criminal or employment history of the person
Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Africa 957 | | | www.dlapiperdataprotection.com
or other particular assignment to the person
The biometric information of the person
The personal opinions, views or preferences of the person
Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further
correspondence that would reveal the contents of the original correspondence
The views or opinions of another individual about the person
The name of the person if it appears with other personal information relating to the person or if the disclosure of the
name itself would reveal information about the person
POPIA applies to the processing of personal information entered in a record by or for a responsible party / data controller that is
domiciled in South Africa and that makes use of automated or non-automated means to process the personal information. It
would also apply if the responsible party is not domiciled in South Africa but makes use of automated or non-automated means in
South Africa unless those means are used only to forward personal information through South Africa.
POPIA does not apply to the processing of personal information:
In the course of a purely personal or household activity
That has been de-identified to the extent that it cannot be re-identified again
By or on behalf of the State with regard to national security, defense or public safety, or the prevention, investigation or
proof of offenses; or for the purposes of the prosecution of offenders or the execution of sentences or security measures,
to the extent that adequate safeguards have been established in specific legislation for the protection of such personal
information
For exclusively journalistic purposes by responsible parties who are subject to, by virtue of office, employment or
profession, a code of ethics that provides adequate safeguards for the protection of personal information
Solely for the purposes of journalistic, literary or artistic expression to the extent that such exclusion is necessary to
reconcile, as a matter of public interest, the right to privacy with the right to freedom of expression
By Cabinet and its committees, the Executive Council of a province and a Municipal Council of a municipality
For purposes relating to the judicial functions of a court referred to in section 166 of the Constitution, and
Under circumstances that have been exempted from the application of the conditions for lawful processing by the
Information Regulator in certain circumstances
Definition of sensitive personal data
Special personal information is information concerning religious or philosophical beliefs, race or ethnic origin, trade union
membership, political persuasion, health or sex life, biometric information and criminal behavior (to the extent that such
information relates to the alleged commission of an offense or any proceedings in respect of any offence allegedly committed, or
the disposal of such proceedings).
Subject to certain prescribed exceptions, the processing of special personal information without the consent of the data subject is
generally prohibited under POPIA.
NATIONAL DATA PROTECTION AUTHORITY
The first members of the Information Regulator have been appointed, with effect from December 1, 2016.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Africa 958 | | | www.dlapiperdataprotection.com
The powers, duties and functions of the office of the Information Regulator include providing education regarding the protection
and processing of personal information; monitoring and enforcing compliance with the provisions of POPIA; consulting with
interested parties and acting as mediator; receiving, investigating and attempting to resolve complaints; issuing enforcement notices
and codes of conduct; and facilitating cross-border cooperation.
REGISTRATION
Data protection officers (referred to in POPIA as ” “) must be registered with the Information Regulator. information officers
The responsible party is required to obtain prior authorization from the Information Regulator before processing personal
information in certain circumstances prescribed in section 57 of POPIA, for example, where special personal information or
personal information of children is transferred to a third party in a foreign country that does not provide an adequate level of
protection for the processing of personal information and where information on criminal behavior or unlawful or objectionable
conduct is processed on behalf of third parties. Prior authorization is also required when processing personal information for the
purposes of credit reporting or when processing unique identifiers for a purpose other than the purpose for which it was
originally collected and linking it with personal information processed by other third parties. The responsible party is not
otherwise required to register its processing of personal information.
The prior authorization requirements in POPIA will only come into effect on 1 February 2022. This means that all responsible
parties (i.e. data controllers) that conduct processing activities that are subject to prior authorization will need to submit an
application for prior authorization by 1 February 2022 and will need to cease such processing activities until such time as prior
authorization is obtained.
DATA PROTECTION OFFICERS
Data protection officers (referred to in POPIA as ” “) must be registered with the Information Regulator.information officers
The duties and responsibilities of a responsible party’s information officer are set forth in POPIA and include encouraging and
ensuring compliance with POPIA; dealing with any requests made to that responsible party in terms of POPIA; and working with
the Information Regulator in respect of investigations by the Information Regulator in relation to that responsible party. The
Regulations to POPIA, among other things, further provide that the information officer must ensure that a compliance framework
is developed, implemented, monitored and maintained, and that a personal information impact assessment is conducted to ensure
that adequate measures and standards exist.
COLLECTION & PROCESSING
“Processing” of information is defined in POPIA as any operation or activity or any set of operations, whether or not by automatic
means, concerning personal information, including:
The collection, receipt, recording, organization, collation, storage, updating or modification, retrieval, alteration,
consultation or use
Dissemination by means of transmission, distribution or making available in any other form
Merging, linking, as well as blocking, degradation, erasure or destruction of information
POPIA prescribes the following eight conditions for lawful processing of personal information:
Accountability: The responsible party must comply with all the conditions for lawful processing.
Purpose specification: Personal information must only be collected for a specific, explicitly defined lawful purpose
related to a function or activity of the responsible party.
Processing limitation: Processing must be justified on a ground recognized under POPIA ( , consent/legitimateeg
interests of the data subject, responsible party or the third party to whom the information is supplied).
Further processing limitation: Processing must be in accordance with or compatible with the purpose for which it
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Africa 959 | | | www.dlapiperdataprotection.com
was initially collected subject to limited exceptions.
Information quality: Steps must be taken to ensure that the information is complete, accurate, not misleading and
updated where necessary.
Openness: Notification requirements must be complied with when collecting personal information.
Security safeguards: Appropriate, reasonable technical and organizational measures must be implemented and
maintained to prevent loss of, damage to or unauthorized destruction of or unlawful access to personal information.
Data subject participation: Data subjects have the right to request details of the personal information that a
responsible party holds about them and, in certain circumstances, request access to such information.
TRANSFER
POPIA caters for two scenarios relating to the transfer of personal information, namely where a responsible party in South Africa
sends personal information to another country to be processed and where a responsible party in South Africa processes personal
information that has been received from outside South Africa.
Receiving personal information from other countries
The requirements for the processing of personal information prescribed in POPIA will apply to any personal information
processed in South Africa, irrespective of its origin.
Sending personal information to other countries for processing
A responsible party in South Africa may not transfer personal information to a third party in another country unless:
The recipient is subject to a law, binding corporate rules or a binding agreement which:
Upholds principles for reasonable processing of the information that are substantially similar to the conditions
contained in POPIA and
Includes provisions that are substantially similar to those contained in POPIA relating to the further transfer of
personal information from the recipient to third parties who are in another country
The data subject consents to the transfer
The transfer is necessary for the performance of a contract between the data subject and responsible party, or for the
implementation of pre-contractual measures taken in response to the data subject’s request or
The transfer is necessary for the performance of a contract between the data subject and responsible party, or for the
implementation of pre-contractual measures taken in response to the data subject’s request or
The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject
between the responsible party and a third party, or the transfer is for the benefit of the data subject and:
It is not reasonably practicable to obtain the consent of the data subject to that transfer, and
If it were reasonably practicable to obtain such consent, the data subject would be likely to give it
SECURITY
Section 19 of POPIA places an obligation on a responsible party to secure the integrity and confidentiality of personal information
in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss,
damage to, or unauthorised destruction of; and unlawful access to, personal information.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Africa 960 | | | www.dlapiperdataprotection.com
To comply with this obligation, the responsible party must take reasonable measures to do all of the following:
Identify all reasonably foreseeable internal and external risks to personal information under its control
Establish and maintain appropriate safeguards against the risks identified
Regularly verify that the safeguards are effectively implemented
Ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented
safeguards
The responsible party must also have due regard to generally accepted information security practices and procedures which may
apply to it generally or be required in terms of specific industry or professional rules and regulations.
BREACH NOTIFICATION
In terms of section 22 of POPIA, where there are reasonable grounds to believe that the personal information of a data subject
has been accessed or acquired by any unauthorized person, the responsible party must notify the Information Regulator and the
data subject, unless the identity of such data subject cannot be established.
The notification must be made as soon as reasonably possible after the discovery of the compromise, taking into account the
legitimate needs of law enforcement or any measures reasonably necessary to determine the scope of the compromise and to
restore the integrity of the responsible party’s information system.
The responsible party may only delay notification of the data subject if a public body responsible for the prevention, detection or
investigation of offenses or the Information Regulator determines that notification will impede a criminal investigation by the public
body concerned and must be in writing and communicated to the data subject in a prescribed manner.
The notification must provide sufficient information to allow the data subject to take protective measures against the potential
consequences of the compromise, including all of the following:
A description of the possible consequences of the security compromise
A description of the measures that the responsible party intends to take or has taken to address the security compromise
A recommendation with regard to the measures to be taken by the data subject to mitigate the possible adverse effects of
the security compromise
If known to the responsible party, the identity of the unauthorized person who may have accessed or acquired the
personal information
The Information Regulator may direct a responsible party to publicize, in any manner specified, the fact of any compromise to the
integrity or confidentiality of personal information, if the Information Regulator has reasonable grounds to believe that such
publicity would protect a data subject who may be affected by the compromise.
An operator / data processor is not required to notify the Information Regulator or data subjects where there are reasonable
grounds to believe that there has been a data breach. It must, however, notify the responsible party/data controller of the
suspected data breach.
ENFORCEMENT
Any person may submit a complaint to the Information Regulator alleging non-compliance with POPIA. The Information Regulator
may also initiate an investigation into interference with the protection of personal information.
Upon receipt of a complaint, the Information Regulator may, conduct a pre-investigation or full investigation of the inter alia,
complaint, act as conciliator, refer the complaint to another regulatory body if the Information Regulator considers that the
complaint falls more properly within the jurisdiction of the other regulatory body, or decide to take no further action.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Africa 961 | | | www.dlapiperdataprotection.com
The Information Regulator’s powers, for purposes of investigating a complaint include the power to summons and enforce the
appearance of persons before the Information Regulator to give evidence or produce records or things; enter and search the
premises occupied by a responsible party; and conduct interviews and inquiries.
If the Information Regulator is satisfied that a responsible party has interfered or is interfering with the protection of the personal
information of a data subject it my issue an enforcement notice prescribing action to be taken by the responsible party to remedy
the situation.
A responsible party who fails to comply with an enforcement notice is guilty of an offense and is, liable, on conviction, to a fine or
imprisonment (or both) for a period of no longer than ten years (in terms of section 107), or alternatively to an administrative fine
(in terms of section 109). Currently, the maximum fine under sections 107 and 109 of POPIA is R10 million.
Section 99 also makes provision for a civil action for damages resulting from non-compliance with POPIA. In order to succeed in
such a claim the complainant would need to prove all the elements of a delict: wrongful conduct, causation, fault (intent /
negligence) and harm. The data subject would need to prove the quantum of the damages that s/he seeks.
ELECTRONIC MARKETING
Now that POPIA is fully in effect, direct marketing by means of unsolicited electronic communications is regulated by POPIA
whereby the opt-in regime has taken effect. Accordingly, under POPIA, the processing of a data subject’s personal information for
the purposes of direct marketing by means of unsolicited electronic communications is prohibited unless the data subject has given
its consent, or the email recipient is an existing customer of the responsible party. The responsible party may only approach a data
subject once in order for the data subject to opt in to receive marketing information. The Regulations to POPIA contain a
prescribed form to be used when seeking this opt-in.
When sending emails to a data subject who is an existing customer: (a) the responsible party must have obtained the details of the
data subject through a sale of a product or service; (b) the marketing should relate to its own similar products or services; and (c)
the data subject must have been given a reasonable opportunity to opt out, free of charge, of the use of its personal information
for marketing when such information was collected and on each occasion that marketing information is sent to the data subject, if
the data subject has not initially refused the use of the personal information for electronic marketing purposes. Direct marketing
that is not by electronic communications (i.e. telephone or in-person marketing) continues to be regulated by the Consumer
Protection Act, which requires the consumer to have an opportunity to opt out of receiving direct marketing.
ONLINE PRIVACY
There are no sections of POPIA that expressly regulate privacy in relation to cookies and location data. These issues may be dealt
with in subsequent regulations or codes of conduct to be issued by the Information Regulator.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Africa 962 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DLA Piper
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Monique Jefferson
Director
T +27 11 302 0853
monique.jefferson@dlapiper.com
Justine Katz
Associate
T +27 (0)11 302 0846
justine.katz@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Korea 963 | | | www.dlapiperdataprotection.com
a.
b.
c.
SOUTH KOREA
Last modified 21 December 2021
LAW
The Korean legislative system for personal information protection is composed of the Personal Information Protection Act (“
”), a general, comprehensive statute and the Credit Information Use and Protection Act which regulates personal creditPIPA
information.
The Act on Promotion of Information and Communications Network Utilization and Information Protection, etc. (“Network Act
”) once functioned as a special statute that regulated the processing of users’ personal information by online service providers.
However, after the substantial amendments to the PIPA and the Network Act on January 9, 2020, all provisions related to the
processing and protection of personal information applicable to online service providers under the Network Act have been either
removed or consolidated into the amended PIPA. The amendments to the PIPA and the Network Act went into force on August
5, 2020, and now the processing of personal information while providing online services is subject to the PIPA under a separate
section exclusively dedicated to regulating online service providers (“ ”) further explained below. Note that otherSpecial Section
parts of the PIPA will also apply to “Online Service Providers” (defined as ‘telecommunications service providers’ as prescribed in
Article 2, Item 8 of the Telecommunications Business Act and other persons who provide information or act as an intermediary
for the provision of information for the purpose of earning profit, by utilizing the services rendered by telecommunications service
providers) if the Special Section is silent on a given issue.
Two amendments to the PIPA have been proposed for pending review by the National Assembly: one proposed by a lawmaker (“
”) and the other by the PIPC (“ ”). Both amendments intend to increase monetary ratherLawmaker Proposal PIPC Proposal
than criminal penalties. The Lawmaker Proposal seeks to (i) combine and unify the rules pertaining to the collection/use and third
party provision of personal information and (ii) require controllers to notify data subjects if their sensitive data is disclosed while
services are being provided. The PIPC Proposal seeks to (i) combine and unify the data protection framework between online and
offline, and (ii) strengthen the data subject’s rights such as introducing the right of data portability.
DEFINITIONS
Definition of personal data
Under PIPA, “personal information” means information relating to a living individual that constitutes any of the following:
Information that identifies a particular individual by his/her full name, resident registration number, image, etc.
Information which, even if by itself does not identify a particular individual, may be easily combined with other information
to identify a particular individual (in this case, whether or not there is ease of combination shall be determined by
reasonably considering the time, cost, technology, etc. used to identify the individual such as likelihood that the other
information can be procured)
Information under items (a) or (b) above that is pseudonymised in accordance with the relevant provisions and thereby
becomes incapable of identifying a particular individual without the use or combination of information for restoration to
the original state (referred to as “pseudonymised information”).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Korea 964 | | | www.dlapiperdataprotection.com
1.
2.
3.
4.
5.
6.
7.
8.
Definition of sensitive personal data
Under the PIPA, “sensitive information” is defined as personal information concerning an individual’s ideology, faith, labor union
membership, political views or membership in a political party, health or medical treatment information, sexual orientation, genetic
information, criminal records and biometric data for the purpose of uniquely identifying a natural person and race/ethnic
information. Sensitive information can be processed if (a) such processing is required or permitted by a statute, or (b) the consent
of the data subject is separately obtained.
NATIONAL DATA PROTECTION AUTHORITY
The Personal Information Protection Commission (“PIPC”) is in charge of the enforcement of PIPA.
The PIPC shall perform the following work:
Matters concerning the improvement of law relating to personal information protection
Matters concerning the establishment or execution of policies, systems or plans relating to personal information
protection
Matters concerning investigation into infringement upon the rights of data subjects and the ensuing dispositions
Handling of complaints or remedial procedures relating to personal information processing and mediation of disputes over
personal information
Exchange and cooperation with international organizations and foreign personal information protection agencies to
protect personal information
Matters concerning the investigation and study, education and promotion of law, policies, systems and status relating to
personal information protection
Matters concerning the support of technological development and dissemination relating to personal information
protection and nurturing of experts, and
Matters specified as the work of the PIPC by the PIPA or other statutes.
REGISTRATION
Under PIPA, there is no general rule regarding the registration of personal data controller, however, a public institution which
manages a personal information file (i.e. collection of personal information) shall register the following with the PIPC. A “public
institution” in this context refers to any government agency or institution.
name of the personal information file
basis and purpose of operation of the personal information file
items of personal information which are recorded in the personal information file
the method to process personal information
period to retain personal information file
person who receives personal information generally or repeatedly, and
other matters prescribed by the Presidential Decree.
The Presidential Decree of PIPA stipulates that the followings also shall be registered with the PIPC:
the name of the institution which operates the personal information file
the number of subjects of the personal information included in the personal information file
the department of the institution in charge of personal information processing
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Korea 965 | | | www.dlapiperdataprotection.com
the department of the institution handling the data subjects’ request for inspection of personal information, and
the scope of personal information inspection of which can be restricted or rejected and the grounds therefor. Only
“public institutions” are required to register with the PIPC.
DATA PROTECTION OFFICERS
Under PIPA, every personal data controller (which means any person, any government entity, company, individual or other person
that, directly or through a third party, controls and/or processes personal information in order to operate personal information
files as part of its activities) must designate a chief privacy officer (“CPO”) who must be an employee or executive of the company.
The CPO’s obligations under the PIPA are as follows:
establishing and implementing plans for the protection of personal information
performing periodic investigations and improving the status and practices of the processing of personal information
handling complaints and dealing with damage pertaining to the processing of personal information
establishing internal control systems for preventing leakage, misuse and abuse of personal information
establishing and implementing training sessions for the protection of personal information
protecting, managing, and monitoring personal information files
establishing, amending, and implementing a personal information processing policy
managing materials concerning the protection of personal information, and
destroying personal information for which the purpose of processing has been achieved or for which the retention period
has expired.
There are no nationality or residency requirements for the chief privacy officer. In the event that a CPO is not designated, the
personal information processing entity may be subject to a maximum administrative fine of KRW 10 million under the PIPA.
COLLECTION & PROCESSING
Under the PIPA, there must be a specific legitimate basis for processing personal information, with the most representative basis
being the data subject’s consent. As a result, in principle, the explicit consent of data subjects must be obtained before processing
their personal information. However, the data subjects’ consent is not required in cases where the processing of personal
information is prescribed by a statute or where it is necessary for an entity to process personal information in order to comply
with its legal obligations.
Exceptions to the general rule above which are applicable to personal data controller are as follows:
where there exist special provisions in any Act or it is inevitable to fulfil an obligation imposed by or under any Act and
subordinate statute
where it is inevitable for a public institution to perform its affairs provided for in any Act and subordinate statute where it
is inevitably necessary for entering into and performing a contract with a data subject
where it is deemed obviously necessary for the physical safety and property interests of a data subject or a third person
when the data subject or their legal representative cannot give prior consent because they are unable to express their
intention or by reason of their unidentified address, and
where it is necessary for a personal data controller to realize their legitimate interests and this obviously takes
precedence over the rights of a data subject. In such cases, this shall be limited to cases where such data is substantially
relevant to a personal data controller’s legitimate interests and reasonable scope is not exceeded.
Exceptions to the general rule above which are applicable to Online Service Providers are as follows:
if the personal information is necessary in performing the contract for provision of online services, but it is obviously
difficult to get consent in an ordinary way due to any economic or technical reason
if it is necessary in settling the payment for charges on the online services rendered, and
if a specific provision exists in the PIPA or any other Act.
While one consent form may be used, separate consents must be obtained respectively for each type of processing activity (e.g.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Korea 966 | | | www.dlapiperdataprotection.com
collection and use, third party provision) and for different types of personal information (e.g. unique identification information and
sensitive information).
Under the PIPA, data subjects must be informed of, and provide their consent to, the following matters before their personal
information is collected and/or used:
the purpose of the collection and use
the items of personal information that will be collected
the duration of the possession and use of the personal information, and
the fact that the data subject has a right to refuse to give consent and the negative consequences or disadvantages that
may result due to any such refusal.
The collection and use or provision of the resident registration number (which is a type of unique identification information) is
prohibited even with the consent of the data subject unless collection and use or provision is explicitly required or permitted
under a statute.
When a certain business transfer occurs, the personal data controller must provide its data subjects a chance to opt out by
providing a notice, including items of:
the expected occurrence of personal information transfers
the contact information of the recipient of the personal information, including the name, address, telephone number and
other contact details of the recipient, and
the means and process by which the data subjects may refuse to consent to the transfer of personal information.
If the data subject or online service user is under the age of 14, the consent of their legal guardian must be obtained.
TRANSFER
As a general rule, a personal data controller may not provide personal information to a third party without obtaining the prior opt
in consent of the data subject.
Exceptions to the general rule above apply in the following cases:
where there exist special provisions in any Act or it is necessary to fulfil an obligation imposed by or under any Act and
subordinate statute
where it is necessary for a public institution to perform its affairs provided for in any Act and subordinate statute, etc, and
where it is deemed obviously necessary for the physical safety and property interests of a data subject or a third person
when the data subject or his/her legal representative cannot give prior consent because he/she is unable to express his/her
intention or by reason of his/her unidentified address, etc.
Under the PIPA, a personal data controller must obtain consent after it notifies the data subject of:
the person (entity) to whom the personal information is furnished
purpose of use of the personal information by the person (entity)
types of personal information furnished
period of time during which the person (entity) will possess and use the personal information, and
the fact that the data subject has the right to refuse to consent and the consequences of refusing.
While there is no additional requirement for the personal data controller other than the general requirements for third party
transfer described above, there is a special provision for cross-border transfer of personal information of “Users” (which is
defined as all individuals who use the telecommunications services provided by Online Service Providers). If a User’s personal
information is transferred to an overseas entity, Online Service Providers must disclose and obtain the User’s consent with
respect to the following:
the specific information to be transferred overseas
the destination country
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Korea 967 | | | www.dlapiperdataprotection.com
the date, time, and method of transmission
the name of the third party and the contact information of the person in charge of the personal information within the
third party, and
the third party’s purpose of use of the personal information and the period of retention and usage.
In principle, this requirement applies irrespective of whether the transfer constitutes a provision of personal information to a third
party or an outsourcing of personal information processing, provided that the obligation to obtain Users’ consent may be
exempted for outsourcing of personal information processing or storage of personal information if the aforementioned items are
disclosed in the privacy policy.
Under the PIPA, when processing personal information acquired indirectly by way of a third party transfer, transferees who meet
a certain threshold as provided by the Presidential Decree will be obligated to notify the data subject of (i) the third party source
(transferor) from which the personal information was acquired, (ii) the intended use of the received personal information, and (iii)
the fact that the data subject has the right to request for suspension from processing personal information.
SECURITY
Under the PIPA, every personal data controller must, when it processes personal information or sensitive personal information of
a data subject, take the following technical and administrative measures in accordance with the guidelines prescribed by the
Presidential Decree to prevent loss, theft, leakage, alteration, or destruction of personal information:
establishment and implementation of an internal control plan for handling personal information in a safe way
installation and operation of an access control device, such as a system for blocking intrusion to cut off illegal access to
personal information
measures for preventing fabrication and alteration of access/log records
measures for security including encryption technology and other methods for safe storage and transmission of personal
information, and
measures for preventing intrusion of computer viruses, including installation and operation of vaccine software, and other
protective measures necessary for securing the safety of personal information.
BREACH NOTIFICATION
Under the PIPA, if a breach of personal information occurs the personal data controller must notify the data subjects without
delay of the details and circumstances, and the remedial steps planned. If the number of affected data subjects is 1,000 or more,
the personal data controller shall immediately report the notification to data subjects and the result of measures taken to PIPC or
the Korea Internet & Security Agency (“KISA”).
Additionally, there is a special provision for Online Service Providers regarding data breach notification. When there is a data
breach, the affected Online Service Provider is obligated to provide individual notices to online service users and file a personal
information leakage report with the details of the leakage and the remedial steps planned to the PIPC or KISA, regardless of the
number of affected data subjects.
Furthermore, under the Network Act, an Online Service Provider must, if it discovers an occurrence of intrusion:
report it to the Ministry of Science and ICT (“MSIT”) or KISA within 24 hours of knowledge of the intrusion, and
analyze causes of intrusion and prevent damage from being spread, whenever an intrusion occurs.
The MSIT may, if deemed necessary for analyzing causes of an intrusion, order an Online Service Provider to preserve relevant
data, such as access records of the relevant information and communications network.
ENFORCEMENT
The competent authorities may request reports on the handling of personal information, and also may issue recommendations or
orders if a personal data controller violates the PIPA. Non-compliance with a request or violation of an order can result in fines,
imprisonment, or both.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Korea 968 | | | www.dlapiperdataprotection.com
For example, PIPC, the supervising authority, can issue a corrective order in response to any breach of an obligation not to
provide personal information to a third party. Breach of a corrective order leads to an administrative fine of not more than KRW
30 million. Prior to issuing a corrective order, PIPC may take an incremental approach and instruct, advise and make
recommendations to the personal data controller. On the other hand, where personal information has been transferred to a third
party without the consent of the data subject and in the absence of exceptional circumstances, both the transferor and the
transferee (if it received the personal information knowing that the data subject had not given consent) can be subject to criminal
sanctions (imprisonment of up to 5 years or a criminal fine of up to KRW 50 million).
For Online Service Providers, there is a special provision under the Special Section which imposes an administrative surcharge of
up to 3% of the relevant sales (or up to KRW 400 million if it is difficult to calculate the relevant sales) for violation of key
obligations of Online Service Providers.
Punitive damages
In instances of data breaches caused by the personal data controller’s intentional act or negligence, the personal data controller
may be liable for three times the damages suffered.
ELECTRONIC MARKETING
Under the Network Act, anyone who intends to transmit an advertisement by electronic transmission media must receive the
explicit consent of the individual, but if the individual either withdraws consent or does not give consent, then an advertisement
for profit may not be transmitted.
In addition, the transmitter of advertisement information for profit must disclose the following information specifically within the
advertisement:
the identity and contact information of the transmitter, and
instructions on how to consent or withdraw consent for receipt of the advertisement information.
A person who transmits an advertisement shall not take any of the following technical measures:
a measure to avoid or impede the addressee’s denial of reception of the advertising information or the revocation of his
consent to receive such information
a measure to generate an addressee’s contact information, such as telephone number and electronic mail address,
automatically by combining figures, codes, or letters
a measure to register electronic mail addresses automatically with intent to transmit advertising information for profit, and
various measures to hide the identity of the sender of advertising information or the source of transmission of an
advertisement.
ONLINE PRIVACY
Cookie, logs, IP information, etc. are also regulated by the PIPA as personal information, which if combined with other information
may enable the identification of a specific individual person easily. Under the PIPA, using cookies (or web beacons) must be done
with the opt-out consent of the user and the privacy policy must publicize the matters concerning installation, operation and
opt-out process for automated means of collecting personal information, such as cookies, logs and web beacons.
The protection of location information is governed by the provisions of the Act on the Protection, Use, etc. of Location
Information (“LBS Act”).
Under the LBS Act, any person who intends to collect, use, or provide location information of a person or mobile object shall
obtain the prior consent of the person or the owner of the object, unless:
there is a request for emergency relief or the issuance of a warning by an emergency rescue and relief agency
there is a request by the police for the rescue of the person whose life or physical safety is in immediate danger, or
there exist special provisions in any Act.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Korea 969 | | | www.dlapiperdataprotection.com
Under the LBS Act, any person (entity) who intends to provide services based on location information (“Location-based Service
Provider”) shall report to the Korea Communications Commission (“KCC”). Further, any person (entity) who intends to collect
location information and provide the collected location information to Location-based Service Providers (“Location Information
Provider”) shall obtain a license from the KCC.
If a Location-based Service Provider intends to provide location-based services by utilizing personal location information provided
by a Location Information Provider, it must specify the following information in its service agreement, and obtain the consent of
the subjects of personal location information:
name, address, phone number and other contact information of the Location Information Provider
rights held by the subjects of personal location information and their legal agents and methods of exercising the rights
details of the services the Location Information Provider intends to provide to Location-based Service Providers
grounds for and period of retaining data confirming the collection of location information, and
methods of collecting location information.
If a Location-based Service Provider intends to provide location-based services by utilizing personal location information provided
by a Location Information Provider, it must specify the following information in its service agreement, and obtain the consent of
the subjects of personal location information:
name, address, phone number and other contact information of the Location-based Service Provider
rights held by the subjects of personal location information and their legal agents and methods of exercising the rights
details of the location-based services
grounds for and period of retaining data confirming the use and provision of location information, and
matters concerning notifying the personal location information subject of the provision of location information to a third
party as below.
If a Location-based Service Provider intends to provide location information to a third party, in addition to the above, it
must notify the subjects of personal location information of the third party who will receive the location information and the
purpose of this provision.
KEY CONTACTS
Kim and Chang
www.kimchang.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Michael Kim
Senior Foreign Attorney
Kim & Chang
T +82-2-3703-1732
michael.kim@kimchang.com
Yoon Ah Ko
Associate
Kim & Chang
T +82-2-3703-5778
yoonah.ko@kimchang.com
https://www.dlapiperdataprotection.com
https://www.kimchang.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World South Korea 970 | | | www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 971 | | | www.dlapiperdataprotection.com
SPAIN
Last modified 17 January 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on
25 May 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
After a long delay the Spanish Parliament approved the new Spanish Fundamental Law on Data Protection and digital rights
guarantee developing and refining the GDPR in December 2018. It has been in force from 7 December 2018
(“NLOPD”).
DEFINITIONS
“Personal data” is defined as (Article 4 of the GDPR). A low”any information relating to an identified or identifiable natural person”
bar is set for “identifiable” – if the natural person can be identified using (Recital 26 of the “all means reasonably likely to be used”
GDPR) the information is personal data. A name is not necessary either – any identifier will do, such as an identification number,
phone number, location data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 972 | | | www.dlapiperdataprotection.com
(Article 10). convictions and offences
NLOPD is extremely restrictive regarding the processing of criminal convictions and offences data, that shall be forbidden
except in very exceptional circumstances. Spain deviates itself notably in this regard from the standard position in the EU,
where this prohibition is not usually so strict.
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor. data subject
Despite following GDPR’s approach in this regard, NLOPD does also regulate certain features related to personal data of
deceased people.
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities. The European Data
Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory
authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of
the Regulation.
The GDPR creates the concept of . Where there is cross-border processing of personal data (i.e. “lead supervisory authority”
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
The Spanish competent national supervisory authority is the (“ ”), which alsoAgencia Española de Protección de Datos AEPD
represents Spain on the European Data Protection Board. Regional Data Protection Commissioners do exist to supervise
personal data processing by regional public authorities and other entities controlled by regional public authorities.
The contact details of the AEPD are as follows:
Address: C/Jorge Juan, 6, 28001 Madrid, Spain
Telephone: +34 901 100 099/ +34 91 266 35 17
Website: www.aepd.es
https://www.dlapiperdataprotection.com
https://www.aepd.es/es
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 973 | | | www.dlapiperdataprotection.com
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities. The requirement to
consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a
notification requirement. In addition, each controller or processor must communicate the details of its data protection officer
(where it is required to appoint one) to its supervisory authority (Article 37(7)).
NLOPD requires to do so, even for voluntarily appointed DPOs within a short period of time (10 days).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely.
The NLOPD includes a lengthy list of organisations and companies that are required to appoint a DPO. Accordingly,
insurance or reinsurance companies, financial credit institutions, educational institutions, electric and natural gas
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 974 | | | www.dlapiperdataprotection.com
distributors, and advertising and marketing companies, among others, are required to appoint a DPO. The NLOPD also
allows organisations and companies to voluntarily appoint a DPO. Please note that, in either case, the appointment of the
DPO must also be communicated to the AEPD using the AEPD online facilities.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organisations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Category Data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 975 | | | www.dlapiperdataprotection.com
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Indeed, NLOPD has done so in a very intense manner.
Criminal Convictions and Offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorised by Member State domestic law (Article 10).
The NLOPD has confirmed this prohibition in very strict terms, with only very extraordinary exceptions (e.g. compliance
with a specific legal mandate, activities of lawyers and court representatives acting on behalf of their clients)
Processing for a Secondary Purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – i.e. use data collected for one purpose for a new purpose which
was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle
of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (Privacy Notices)
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 976 | | | www.dlapiperdataprotection.com
The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google ( ), in effect requiring Google to remove search resultsJudgment of the CJEU in Case C-131/12
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
https://www.dlapiperdataprotection.com
http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=152065&occ=first&dir=&cid=667631
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 977 | | | www.dlapiperdataprotection.com
a.
b.
c.
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
necessary for entering into or performing a contract;
authorised by EU or Member State law; or
the data subject has given their explicit (i.e. opt-in) consent.
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
Data protection principles
The NLOPD foresees certain scenarios where the controller shall not be responsible for inaccurate data (provided it has
taken all reasonable measures to ensure deletion or rectification without delay).
Criminal Convictions and Offences data
Article 10 of the NLOPD allows lawyers and legal entities to process the information provided by their clients related to
criminal convictions and offences for the purposes of rendering the corresponding legal services.
Processing of administrative offence or penalties
The processing of personal data related to administrative offences or penalties is permitted if it is carried out by the
relevant public bodies having sanctioning powers over such offenses, and only to the extent necessary for achieving their
legitimate purposes. If those requirements are not met, the processing shall be allowed by an specific law, or be based on
the data subject’s consent.
Please note that lawyers and legal entities are also allowed to process the information provided by their clients related to
administrative offenses or penalties for the purposes of rendering the corresponding legal services.
Credit Solvency Databases
The NLOPD sets out stringent requirements for including personal data on credit solvency databases. In this regard, the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 978 | | | www.dlapiperdataprotection.com
information to be provided to data subjects as well as the particularities of the debt are, among others, key aspects to be
taken into account.
CCTV Processing
Under the NLOPD, the processing of images through CCTV is only permitted for security purposes, provided that (i) the
data obtained is duly deleted within the corresponding period of time (unless it is relevant for evidence purposes), and (ii)
the mandatory notice requirements are met. Additional detailed requirements do apply.
Whistleblowing
The processing of personal data relating to whistleblowing (including anonymous reporting) is permitted provided that (i)
employees are duly informed ,(ii) whistleblowing databases are only accessed by the necessary persons to carry out
internal control purposes or to initiate the relevant disciplinary proceedings, and (iii) the data obtained is duly deleted
within the mandatory period of time. Additional detailed requirements do apply.
Unfair competition
The NLOPD generates a new catalogue of “unfair competition practices” linked to personal data.
Data processing for electoral purposes
Political parties, coalitions and electoral groups can use personal data obtained from websites and other public sources to
carry out political activities during an election period. Likewise, sending electoral propaganda by electronic means, as well
as contracting any such propaganda on social or similar networks will not be deemed a commercial activity.
Transparency (Privacy Notices)
The NLOPD allows (Article11) provision of the information required by Articles 13 and 14 of the GDPR in layers. In this
sense, a first layer should include the “basic information” of the relevant processing as well as an immediate and easily
accessible form ( , a link) to the second layer, where the rest of information to be provided under Articles 13 and 14 ofi.e.
the GDPR shall be included. Please note that the content of the before-mentioned “basic information” depends on each
case, but most of the times includes (i) the identity of the controller, (ii) the purpose of the processing, and (iii) the
rights under Article 15 – 22 of the GDPR.
Rights of the data subject
Under the NLOPD, a data subject’s right of access is deemed granted when the controller provides him/her with a means
that permanently guarantees remote, direct and secure access to his/her personal data. In addition, the NLOPD indicates
that more than one right of access request within six months shall be considered repetitive for the purposes of Article
12(5) of the GDPR unless the relevant requests are based on a legitimate reason.
Under the NLOPD, controllers must clearly indicate in their internal information systems the cases where the processing
of personal data is restricted.
Blocking right / Blocking duty (NLOPD)
The NLOPD states that following the exercise of rectification or erasure, controllers shall “block” the personal data so
that it shall remain available to the relevant public authorities in very specific situations. The NLOPD also offers other
alternatives in case the “blocking” of personal data is not feasible or involves a disproportionate effort.
Rights of the deceased
The NLOPD recognizes the right to digital testament. Moreover, the heirs of the deceased are entitled to exercise the
rights of access, erasure and rectification of data unless the deceased person would had prohibited it (or if it is not in line
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 979 | | | www.dlapiperdataprotection.com
with applicable law).
Special category data
The NLOPD deviates from GDPR mainstream approach on special category data. Most of this type of data cannot be
processed relying on the consent of the data subject (health, biometric and genetic data being the exception to this ban,
but relying on consent may be also not permitted for the latter and even standard data in employment and other
contexts).
Location data
The overall position in Spain is that it may be acceptable provided that:
users are informed at all times on whether the location system is active and retain full control on the system,
freely deciding when to switch it on or off;
the purposes of the processing are legitimate and proportionate and do not harm in an unfair manner the
constitutional rights of the data subjects;
users have been clearly informed on the circumstances under which they can be located and the purposes of such
processing;
users have the option (especially when being off-duty if the location data is used in an employment context) to
turn off the system; and
if in an employment context, Works Council/representatives of the employees, have been informed in advance
about the collection of this type of information and the purposes of the processing (which shall remain within the
limits of the authority of the employer to direct, control and monitor workers’ professional activities)
One of the main originalities of the NLOPD when compared with the GDPR is that it accepts new “digital rights”,
including, i.e., Internet neutrality, universal access to Internet, security of online communications, digital education,
protection of minors on the Internet, amendment/update of non-accurate information on the Internet, a right to be
forgotten-like right not to be found by search engines on the Internet and social networks.
On top of this, certain provisions of the NLOPD may have an impact on the relationship between a company and its
employees (i.e., monitoring of digital devices, digital disconnection of the employees outside working hours, privacy at the
workplace).
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)). As
of 15 December 2021, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some
exceptions), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, the Eastern Republic of Uruguay, New Zealand
and the United Kingdom. On June 2021, a procedure for the adoption of a similar decision regarding transfers of personal data to
South Korea was launched.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules or EU/AEPD standard contractual clauses (a new version
of which was approved by the EU Commission in June 2021). The GDPR has removed the need which existed in some Member
States under the previous law to notify and in some cases seek prior approval of standard contractual clauses from supervisory
authorities (which remains under NLOPD, however, when EU/AEPD standard contractual clauses are replaced by other sets of
clauses or other safeguards).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 980 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
e.
f.
g.
a.
b.
c.
d.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 981 | | | www.dlapiperdataprotection.com
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are
effective, proportionate and dissuasive (Article 83(1)).
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 982 | | | www.dlapiperdataprotection.com
NLOPD has established different levels of infringements (very serious, serious and minor) which are linked to different
limitations’ periods (3, 2 and 1 year respectively).
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, since the AEPD
defends the viewpoint that e-Marketing laws are more specific than GDPR/NLOPD and shall prevail on the latter when data
protection and e-marketing elements do concur (a problem that would not be present when marketing deliverables are provided
off electronic channels, in which case other legal bases for processing, like the legitimate interest of the sponsor could be
considered again). Where consent is relied upon, AEPD claims that the strict standards for consent under the GDPR are to be
noted, and marketing consent forms will invariably need to incorporate clearly worded opt-in mechanisms (such as the ticking of
an unticked consent box, or the signing of a statement, and not merely the acceptance of terms and conditions, or consent implied
from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (ePrivacy Directive), as transposed into the local laws of each Member State. The ePrivacy Directive is expected to be
replaced very soon by a EU-level Regulation, whose drafting procedures are nearly finalised. In the meantime, GDPR Article 94
makes it clear that references to the repealed Directive 95/46/EC will be replaced with references to the GDPR. As such,
references to the Directive 95/46/EC standard for consent in the ePrivacy Directive shall be replaced, the AEPD claims, with the
GDPR standard for consent.
Electronic Marketing is regulated in Spain specifically by the Spanish Act on the Information Society Services and e-Commerce
34/2002 (‘LSSI’). The general principle is that deliveries of electronic marketing materials are lawful only if they have been explicitly
authorised in advance by the recipients (authorisation that is required not just for individuals, but also where the recipient is a
legal entity, broadening here the scope of Spanish Data Protection Act). An exception to this general principle applies to deliveries
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Spain 983 | | | www.dlapiperdataprotection.com
a.
b.
c.
to clients when the materials refer to products/services that are equal or similar to the ones sold to them in the past by the
company sponsoring the advertisement.
Electronic publicity shall:
be clearly marked as such by means of the terms PUBLI or PUBLICIDAD placed inside the subject line,
allow the recipient to opt-out at all times, even at the time of registration, and
clearly identify the sponsor of the delivery. It is the sponsor of the delivery, not the electronic publicity company that shall
be held liable in case of enforcement. Opt-out shall include an email address when the publicity was delivered by email
too. Opt-out procedure shall be simple and free for the recipient of the publicity.
Enforcement shall include, inter alia, fines that, in most cases, shall be between EUR 30,000 and EUR 150,000.
The NLOPD states that databases containing the identification details of those data subjects who have expressed their opposition
to receiving commercial communications may be created (the so-called “ ”). These databases must be reviewedRobinson’s Lists
by the entities sending commercial communications (the access details to these databases will be published by the AEPD) unless
the relevant data subjects have previously granted their consent to receiving such commercial communications.
Finally, it shall also be taken into account that that the NLOPD permits processing activities where the purpose is to avoid sending
commercial communications to those data subjects who have expressed their opposition to receiving them.
ONLINE PRIVACY
Cookies are regulated in Spain, in addition to the Spanish Data Protection Act, by the Spanish Act on the Information Society
Services and e-Commerce (“ ”), as amended in March 2012. In July 2020, the AEPD released new Guidance Notes on the useLSSI
of cookies. Although the Guidance Notes are not legally binding they give useful indications on the best market practice and on
the criteria that the AEPD would follow when enforcing the law.
The Guidance Notes require data controllers to inform cookies’ recipients – including legal entities – of the existence and use of
cookies, their scope and how to deactivate them. The regulator stresses the need for cookies’ sponsors to make sure (and be able
to demonstrate later on) that the user has noticed the invitation to install and use the cookies and has voluntarily and
unmistakably decided to accept it. Certain types of cookies (eg. session cookies) are exempt from these restrictions.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Diego Ramos
Partner
T +349 17901658
diego.ramos@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sri Lanka 984 | | | www.dlapiperdataprotection.com
SRI LANKA
Last modified 21 December 2021
LAW
At present, Sri Lanka does not have legislation in place that exclusively addresses data protection. However, there are existing
legislation, such as the Banking Act No. 30 of 1988 (as amended) which provide for the protection of data on a sectoral specific
basis.
Sri Lanka is however currently in the process of enacting legislation for the purpose of protecting personal data. The Ministry of
Digital Infrastructure and Information Technology of Sri Lanka initially introduced the first draft for the Personal Data Protection
Bill (hereinafter referred to as the “ ”) in 2019. bill
On the 15th of November 2021, the bill was approved by the Cabinet of Ministers of Sri Lanka and subsequently published in the
Government Gazette on the 19th of November 2021.
It is currently awaiting approval by the Parliament of Sri Lanka. No exact time frame has been announced as to when this will take
place.
The bill is concerned with regulating the processing of personal data, with processing being given a wide definition to include “any
which includes but is not limited to theoperation performed on personal data” “collection, storage, preservation, alteration, retrieval,
disclosure, transmission, making available, erasure, destruction of, consultation, alignment, combination or the carrying out of logical or
arithmetical operations on personal data”.
The types of processing that falls under the ambit of the bill are:
the processing of personal data which takes place wholly or partly within Sri Lanka; or
the processing of personal data which is carried out by a controller or processor who:
is domiciled or ordinarily resident in Sri Lanka
is incorporated or established under any written laws of Sri Lanka
is subject to any written law of Sri Lanka
offers goods or services to data subjects in Sri Lanka including the offering of goods or services to specific
targeting of data subjects in Sri Lanka
specifically monitors the behaviour of data subjects in Sri Lanka, including profiling with the intention of making
decisions in relation to the behaviour of such data subjects insofar as such behaviour takes place in Sri Lanka.
The provisions of the bill will not extend to data which falls outside the confines of personal data, and personal data which is
processed purely for private, domestic or household purposes by an individual.
DEFINITIONS
Definition of Personal Data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sri Lanka 985 | | | www.dlapiperdataprotection.com
Personal data is defined to mean “any information that can identify a data subject directly or indirectly, by reference to either an identifier
such as a name, an identification number, location data or an online identifier, or one or more factors specific to the physical, physiological,
genetic, psychological, economic, cultural or social identity of that individual or natural person”.
A ‘data subject’ is defined as and an“an identified or identifiable natural person, alive or deceased, to whom the personal data relates”
‘identifiable natural person’ is further qualified to be “a natural person who can be identified, directly or indirectly, by reference to any
personal data”.
Definition of Sensitive Personal Data
Sensitive personal data, referred to as ‘special categories of personal data’ in the bill, involves personal data which reveals:
racial or ethnic origin, which is defined as any personal data including photographs that may indicate or be related to the
race or ethnicity of a natural person
political opinions
religious or philosophical beliefs
financial data, which is defined to mean an alpha-numeric identifier or other personal data which can identify an account
opened by a data subject, or card or payment instrument issued by a financial institution to a data subject or any personal
data regarding the relationship between a financial institution and a data subject, financial status and credit history relating
to such data subjects, including data relating to remuneration
processing of genetic data, which is defined to mean personal data relating to the genetic characteristics of a natural
person which gives unique information about the physiology or the health of that natural person which results from an
analysis of a biological sample or bodily fluid of that natural person
biometric data for the purpose of uniquely identifying a natural person. Biometric data is defined to mean personal data
resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural
person, which allow or confirm the unique identification of that natural person, including facial images, dactyloscopy data
or iris related data
data concerning health, which is defined as personal data related to the physical or psychological health of a natural
person, which includes any information that indicates his health situation or status
data concerning a natural person’s sex life or sexual orientation
personal data relating to offences, criminal proceedings and convictions
personal data relating to a child, defined as a natural person who is below the age of 18 years.
NATIONAL DATA PROTECTION AUTHORITY
A Data Protection Authority is yet to be established in Sri Lanka as the bill has not yet been enacted by the Parliament.
However, as per the provisions of the bill, the Minister who will be assigned the subject of data protection has the prerogative to
designate a public corporation, statutory body or any other institution established and controlled by the government to be the
Data Protection Authority in Sri Lanka (hereinafter referred to as the “ ”). Authority
The objectives of the Authority upon its establishment shall be:
regulating the processing of personal data.
safeguarding the privacy of the individuals from whom data will be collected from any adverse impacts of “digitalization of
procedures and services”, both in the public and private sector.
providing mechanisms to guarantee the protection of personal data of individuals engaged in digital transactions and
communications.
ensuring compliance with the provisions of the legislation.
The bill also contains powers that will be vested with the Authority, duties and functions of the Authority and directives to be
issued by the Authority in the event a controller or processor acts in contravention of the legislation.
REGISTRATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sri Lanka 986 | | | www.dlapiperdataprotection.com
The bill does not currently include the need for registration.
DATA PROTECTION OFFICERS
Under the bill, each controller and processor is required to appoint a Data Protection Officer in the following circumstances:
When personal data processing is done by a ministry, government department or public corporation, with the exception
of the judiciary acting in their judiciary capacity.
Where the core activities carried out by the controller or the processor involve:
operations which, due to their nature, scope or purpose, require systematic monitoring of the data subjects on a
scale and magnitude as may be prescribed;
processing of special categories of personal data (i.e. sensitive personal data) on a scale and magnitude to as may
be prescribed; or
processing which results in a risk of harm, affecting the rights of the data subjects protected under the bill, based
on the nature of processing and its impact on data subjects.
The controller or processor has the responsibility to publish the contact details of the Data Protection Officer and communicate
the details to the Authority.
In the event the controller is a group of entities, the controller has the option to appoint a single Data Protection Officer,
provided that the Officer is easily accessible to each entity. If the controller or processor is a public authority, a single Data
Protection Officer can be designated for several such public authorities, after taking into consideration their organizational
structure.
As per the provisions of the bill the Data Protection Officer is required to possess the requisite academic and professional
qualifications including and the ability to “academic background, knowledge and technical skills in matters relating to data protection’’
“implement strategies and mechanisms to respond to inquiries and incidents related to processing of personal data”.
The responsibilities of the Data Protection Office as stipulated in the bill will be as follows:
advising the controller or processor and their employees on the data protection requirements laid down by the proposed
legislation or any other relevant law.
ensuring the controller or processor complies with the legislation.
facilitating capacity building of staff involved in processing of data.
providing advice on personal data protection impact assessments.
co-operating and complying with all instructions and directives issued by the Authority which relate to data protection.
COLLECTION & PROCESSING
Every controller must ensure that personal data is being processed for a “specific, explicit and legitimate purpose”, and that the
personal data collected is not further processed in a manner which is incompatible with that purpose.
The controller must confine processing to the defined purpose, by ensuring that personal data processed is “adequate, relevant
and proportionate” to the extent necessary to achieve the purpose for which the data was collected or processed.
The following information must be provided at the time the data is being collected from the data subject:
identity and contact details of the controller
contact details of the data protection officer
the purpose for which the data will be processed and the legal basis for processing
the legitimate interest pursued by the controller or the third party
the categories of personal data being collected
recipients or third parties with whom their data will be shared
information on cross-border transfers
the time period for retention of the data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sri Lanka 987 | | | www.dlapiperdataprotection.com
the rights of data subjects, such as the right to withdraw consent and the procedure to enforce these rights
the ability to file a complaint with the Authority
whether the provision of personal data is a statutory or contractual obligation or requirement and the consequences of
failing to provide such data
the existence of automated individual decision-making, including profiling, information about the logic involved and
potential consequences of processing for the data subject.
When a controller intends to further process personal data for a purpose other than for which it was originally collected, the
controller must provide the data subject with detailed information on the further processing and the purpose for it.
When personal data has been obtained through means other than through a direct interaction with the data subject, the
controller must provide the data subject with the source from which the personal data originates, and whether or not it came
from a publicly accessible source where applicable, in addition to the information that would be required to be provided to a data
subject had there been a direct interaction.
This controller must provide the requisite information to the data subject:
within a reasonable period of time after obtaining the personal data, but at least within one month, having regard to the
specific circumstances in which the personal data is processed;
if the personal data is to be used for communication with the data subject, at least at the time of the first communication
with the data subject; or
if a disclosure to another receipt is envisaged, at least when the personal data is first disclosed.
Personal data may be lawfully processed under any one of the following grounds:
with the consent of the data subject to process his personal data
where the processing of personal data is necessary for the performance of a contract which the data subject is a party to,
or take steps at the request of the data subject prior to entering into a contract
where the processing of personal data is necessary to comply with a legal obligation to which the controller or the
processor is subject to
where processing of personal data is necessary to respond to an emergency that threatens the life, health or safety of the
data subject or another natural person
Where processing of personal data is necessary for the performance of a task carried out in the public interest or in the
exercises of authority conferred on the controller or processor
where processing of personal data is necessary for the purposes of the legitimate interests pursued by the controller or
by a third party, except where this interest is overridden by the interests of the data subject (in particular when the data
subject is a child). To this end, a “legitimate interest” would include:
where the data subject is a client or in the service of the controller
where a data subject reasonably expects at the time, given the context of the collection of the personal data, that
processing for that purpose may take place
where processing of personal data is strictly necessary for the purpose of preventing fraud
processing of personal data to the extent strictly necessary and proportionate for the purpose of ensuring
network and information security.
Special categories of personal data
Special categories of personal data may be lawfully processed under any one of the following grounds:
The data subject has given consent to the processing of special categories of personal data, unless processing of such
personal data is prohibited by another written law, in which case, the data subject’s consent is not a consideration. If the
data subject is a child, consent must be obtained from the parent or legal guardian of the child.
Processing is necessary for the purpose of carrying out the obligations of the controller and exercising of the rights of the
data subject, in the field of employment, social security and for public health purposes (including ensuring public safety,
preventing and controlling communicable diseases and other serious threats to public health).
Processing is necessary to respond to an emergency that threatens, the life, health and safety of the data subject or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sri Lanka 988 | | | www.dlapiperdataprotection.com
another natural person where the data subject is physically or legally incapable of giving consent.
Processing relates to personal data which is manifestly made public by the data subject.
Processing is required for the establishment, exercise or defence of legal claims or whenever courts are acting in their
judicial capacity.
Processing is necessary for a purpose mandated by written law, which should be “necessary and proportionate” to the aim
pursued, while providing suitable and specific measures to safeguard the rights and freedoms of the data subject.
Where necessary for preventative or occupational medicine, medical diagnosis, the provision of care or treatment and the
management of health care services. In this instance the data should be processed by a health professional licensed under
and authorised by Sri Lankan law.
Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with the law, provided suitable and specific measures are taken to safeguard the rights and
freedoms of the data subjects.
A controller has the following obligations:
Ensuring that personal data that is processed is accurate and kept up to date, with every reasonable step being taken to
erase or rectify any inaccurate or outdated personal data, without overdue delay.
Ensuring that personal data is kept in a form which permits identification of data subjects only for such period which is
necessary or required to achieve the purpose for which the data was processed. A controller may store personal data for
longer periods if the personal data is being processed further for archiving purposes in the public interest, scientific
research, historical research or statistical purposes.
Ensuring integrity and confidentiality by using measures such as encryption, pseudonymisation, anonymisation or access
controls in order to prevent the unauthorised or unlawful processing of personal data or loss, destruction or damage of
personal data.
Processing personal data in a transparent manner, by providing data subjects with information relating to the collection of
data and information regarding any decisions made in relation to requests made by data subjects, in writing or by
electronic means and “in a concise, transparent, intelligible and easily accessible form”.
Ensuring that the processor (who is carrying out processing on behalf of the controller) is bound by a contract setting out
the parameters of such processing, and is using appropriate technical and organizational measures to protect the rights of
the data subjects.
Two or more controllers may jointly determine the purposes and means of processing. Such controllers will be referred to as
“joint controllers” who will be jointly responsible to honour these obligations.
Rights of Data Subjects
The proposed legislation has highlighted the rights of data subjects to a significant extent. A controller must respond to any
written request made by a data subject, pertaining to his rights, within twenty-one working days of receiving the request.
The right to access personal data
Every data subject has the right, to access their personal data and be provided with confirmation as to whether such personal data
has been processed, by submitting a written request.
Right to withdraw consent and object to processing
Every data subject has the right to withdraw consent at any time and the right to request a controller to refrain from further
processing of the data subject’s personal data, provided the processing was based on the data subject’s consent.
Right to rectification or completion
Every data subject has the right to request a controller to rectify or complete any personal data that is inaccurate or incomplete.
Right to erasure
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sri Lanka 989 | | | www.dlapiperdataprotection.com
The data subject may, under a limited set of circumstances, request the controller to erase his personal data. This includes when a
controller is in contravention of his obligations and when the erasure is mandated by a written law or order of a competent
court.
The right to appeal
A data subject has the right to appeal to the Data Protection Authority when a controller:
fails to refrain from further processing of the data subject’s personal data
refuses to rectify or complete personal data
refuses to erase personal data
refuses a data subject’s request based on reasons such as national security interests or public order
refuses the request to review a decision made by the controller which is based solely on automated processing.
Automated individual decision making
Every data subject has the right to request a controller to review a decision made by the controller which is based solely on
automated processing, which has or has the potential to create an “irreversible and continuous impact on the rights and freedoms of the
data subjects under any written law”.
However, this is not an absolute right and will not be enforceable if the controller’s decision, based on automated processing, is:
authorized by a written law
authorised in a manner determined by the Authority
based on the consent of the data subject
necessary for entering into or the performance of a contract between the data subject and the controller (this will not
apply to special categories of personal data).
Processing of personal information for criminal investigations
Processing of personal data relating to lawful investigations of offences or related to security measures is lawful, contingent on
being in line with applicable written laws and providing appropriate safeguards for the rights and freedoms of data subjects.
TRANSFER
When a public authority processes personal data as a controller or processor, personal data may only be processed in Sri Lanka,
and shall not be processed in a third country unless the Authority in consultation with the controller or processor and the
relevant regulatory or statutory body, classifies the categories of personal data which may be permitted to be processed in a third
country, prescribed by the Minister pursuant to an adequacy decision.
In making an “adequacy decision” the relevant written law and enforcement mechanisms in the specific country relating to the
protection of personal data is taken into consideration, along with the processing criteria in that country and such other
prescribed criteria relating to the processing of personal data in a third country.
Any such “adequacy decision” made by the Minister will be subject to periodic monitoring of any developments in the third
country that may affect the decision, and the decision may be reviewed by the Minister at least every two years. Such adequacy
decision will remain in force until amended or revoked by the Minister in consultation with the Authority.
A controller or processor, who is not a public authority, may process personal data:
in a third country pursuant to an adequacy decision; or
in a country, which is not a “third country prescribed pursuant to an adequacy decision”, only when the controller or
processor can ensure compliance with the obligations imposed under the bill.
In doing so, in order to ensure compliance, a controller or processor must adopt an instrument, which may be specified by the
Authority, to ensure binding and enforceable commitments of the recipient in the third country to ensure the rights of the data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sri Lanka 990 | | | www.dlapiperdataprotection.com
subjects are protected and the remedies offered by the legislation are followed.
SECURITY
The bill has put in place procedures and measures to ensure the protection of personal data.
Every controller must ensure integrity and confidentiality of the personal data that is being processed by using appropriate
technical and organisational measures including encryption, pseudonymisation, anonymisation or access controls or such other
measures as may be prescribed so as to prevent unauthorised or unlawful processing of personal data or loss, destruction or
damage of personal data.
In addition, every controller has a duty to implement internal controls and procedures by way of a “Data Protection Management
Programme” that:
establishes and maintains duly catalogued records to demonstrate the manner in which the implementation of the data
protection obligations stipulated in the bill are being carried out by the controller
is designed on the basis of structure, scale, volume and sensitivity of the processing activities of the controller
provides for appropriate safeguards based on data protection impact assessments (elaborated on hereinbelow)
is integrated into the governance structure of the controller.
A “personal data protection impact assessment” will have to be carried out by a controller where processing involves:
systematic and extensive evaluation of personal data or special categories of data, including profiling
systematic monitoring of publicly accessible areas or telecommunication networks
a processing activity, taking into consideration the scope and risks associated with the processing
A fresh personal data protection impact assessment must be conducted by the controller whenever there is any change in the
methodology, technology or process adopted in processing the personal data.
Where a personal data protection impact assessment indicates that the processing of certain personal data could result in a risk of
harm to the rights of the data subjects, the controller must take necessary measure to mitigate the risk, prior to the processing of
the personal data. If, after taking measures to mitigate the risk, the controller is still unable to do so, a consultation with the
Authority will be required prior to the processing of such data.
BREACH NOTIFICATION
In the event of a data breach, a controller must notify the Authority of the breach, within a time limit that will be determined by
rules made under the bill, upon its enactment.
A personal data breach per the bill is defined to include any act or omission that results in accidental or unlawful destruction, loss,
alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
After the bill comes into force, the Authority will stipulate by way of rules, the circumstances when the Authority must be notified
of any data breaches, when an affected data subject should be notified of a breach, the form the notification of the breach should
take and the information that should be provided in the notification.
ENFORCEMENT
The Authority may conduct an inquiry on receipt of a complaint or where the Authority has reason to believe that a controller or
processor has acted in contravention of the legislation or has failed to comply with the provision of the bill.
Upon having an inquiry, the Authority may issue a directive requiring the controller or processor to either rectify the situation or
to cease and refrain from the conduct in question.
A controller or processor who fails to comply with the directive may be subject to a penalty, which may not exceed rupees ten
million (Rs. 10,000,000) for each non-compliance.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sri Lanka 991 | | | www.dlapiperdataprotection.com
In addition, if after being subject to a penalty on a previous occasion, a controller or processor fails to conform to a directive, an
additional penalty may be levied.
A controller or processor may appeal to the Court of Appeal within twenty-one working days, from the date of notification of the
penalty, where the burden of proof will be with the controller or processor, to prove compliance with the legislation.
When imposing a penalty, the Authority would have to take the following into consideration:
the nature, gravity, and the duration of the contravention and the nature, scope and purpose of the processing in question,
along with the number of data subjects affected and the level of damage suffered by them
any action taken by the controller or processor to mitigate the damage suffered by the data subjects
the effectiveness of the controller’s “data protection management programme”
the degree of cooperation with the Authority, in order to remedy the contravention and mitigate the adverse effects
caused by the contravention
the categories of personal data affected by the contravention
the manner by which the Authority came to know of the contravention, in particular if the controller or processor
notified the Authority of the contravention
any previous non-compliance by the controller or processor
any other aggravating or mitigating factors including any financial benefits gained or losses avoided as a result, either
directly or indirectly, of the contravention.
ELECTRONIC MARKETING
A controller may use electronic means for the purpose of disseminating marketing messages only if the data subject has consented
to receiving such messages (referred to as “ ”). solicited messages
A data subject has the ability to opt-out of receiving solicited messages free of charge. A controller must provide information to
the data subject on how to opt-out of the solicited messages, both at the time of collecting contact information and each time a
message is sent to the data subject.
ONLINE PRIVACY
Whilst the bill safeguards online privacy, special provisions are not set out for online cookies etc.
Location data falls within the definition of personal data, as such all rights of a data subject in relation to personal data will extend
to location data.
KEY CONTACTS
FJ&G de Saram
www.fjgdesaram.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Shanaka Gunasekara
Partner
T +94773741097
shanaka.gunasekara@fjgdesaram.com
https://www.dlapiperdataprotection.com
http://www.fjgdesaram.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sri Lanka 992 | | | www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sweden 993 | | | www.dlapiperdataprotection.com
SWEDEN
Last modified 17 January 2022
LAW
The General Data Protection Regulation (Regulation (EU) 2016/679) ( ) is a European Union law which entered into forceGDPR
in 2016 and, following a two year transition period, became directly applicable law in all Member States of the European Union on
25 May 2018, without requiring implementation by the EU Member States through national law.
A ‘Regulation’ (unlike the Directive which it replaced) is directly applicable and has consistent effect in all Member States.
However, there remain more than 50 areas covered by GDPR where Member States are permitted to legislate differently in their
own domestic data protection laws, and there continues to be room for different interpretation and enforcement practices among
the Member States.
Territorial Scope
Primarily, the application of the GDPR turns on whether an organization is established in the EU. An ‘establishment’ may take a
wide variety of forms, and is not necessarily a legal entity registered in an EU Member State.
However, the GDPR also has extra-territorial effect. An organization that it is not established within the EU will still be subject to
the GDPR if it processes personal data of data subjects who are in the Union where the processing activities are related “to the
” (Article 3(2)(a)) (no payment is required) to such data subjects in the EU or “offering of goods or services the monitoring of their
” (Article 3(2)(b)) as far as their behaviour takes place within the EU.behaviour
The Data Protection Act (2018:218) and the Data Protection Ordinance (2018:19) (the “DPA”) – The DPA regulates
general aspects of data protection where the GDPR allows, e.g. processing of social security numbers and processing of
data pertaining to criminal offences. The DPA entered into force on 25 May 2018.
In addition to the Swedish DPA, a vast number of sector specific acts and amendments to such existing acts have been
adopted in Sweden, for example relating to the sectors of healthcare, scientific research, finance, energy, environment,
education, referendums/elections, enterprise, communication, labour market, etc.
On December 17th 2021, the new Swedish Whistleblowing Act (2021: 890) (the “Whistleblowing Act”) entered into
force. The Whistleblowing Act implements the EU Directive 2019/1937 on the protection of persons who report
breaches of Union law, and contains a specific chapter regarding processing of personal data (Chapter 7). Chapter 7 of the
Whistleblowing Act contains, provisions on permitted purposes of processing personal data, internal access tointer alia,
personal data and retention periods. The provisions in the Whistleblowing Act supplement the GDPR.
DEFINITIONS
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sweden 994 | | | www.dlapiperdataprotection.com
” ” is defined as ” ” (Article 4). A low bar is set forPersonal data any information relating to an identified or identifiable natural person
“identifiable” – if the natural person can be identified using “ ” (Recital 26) the information isall means reasonably likely to be used
personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The GDPR creates more restrictive rules for the processing of ” ” (Article 9) of personal data (including dataspecial categories
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
(Article 10).convictions and offences
The GDPR is concerned with the ” ” of personal data. Processing has an extremely wide meaning, and includes any setprocessing
of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a ” ” or a ” “. The controller is the decision maker, the person whocontroller processor
” ” (Article 4). The processor “alone or jointly with others, determines the purposes and means of the processing of personal data processes
“, acting on the instructions of the controller. In contrast to the previous law, the GDPRpersonal data on behalf of the controller
imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the processor.
The ” ” is a living, natural person whose personal data are processed by either a controller or a processor.data subject
NATIONAL DATA PROTECTION AUTHORITY
Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the
Cnil in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working
Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing
guidelines to encourage consistent interpretation of the Regulation.
The GDPR creates the concept of ” “. Where there is cross-border processing of personal data (i.e.lead supervisory authority
processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single
establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for
enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single
establishment, the so-called “lead supervisory authority” (Article 56(1)).
However, the lead supervisory authority is required to cooperate with all other “concerned” authorities, and a supervisory
authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects
only in its territory (Article 56(2)).
The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.
Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten),
Drottninggatan 29 5th Floor, Box 8114 104 20 Stockholm
Tel. +46 8 657 6100
imy@imy.se
www.imy.se
REGISTRATION
There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general
notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of
personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases
following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or
https://www.dlapiperdataprotection.com
https://www.imy.se/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sweden 995 | | | www.dlapiperdataprotection.com
processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory
authority (Article 37(7)).
In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by
rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain
comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data
processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable
operational undertaking.
DATA PROTECTION OFFICERS
Each controller or processor is required to appoint a data protection officer if it satisfies one or more of the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have ” ” (Article 37(5)) of data protection law and practices, though it is possible to outsource theexpert knowledge
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which relate
” (Article 38(1)), and the DPO must directly report to the highest management level, must not beto the protection of personal data
told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks (Article
38(3)).
The specific tasks of the DPO, set out in GDPR, include (Article 39):
to inform and advise on compliance with GDPR and other Union and Member State data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
This is a good example of an area of the GDPR where Member State gold plating laws are likely. For example, German domestic
law has set the bar for the appointment of DPOs considerably lower than that set out in the GDPR.
No derogations except that the Swedish Public Access to Information and Secrecy Act (2009:400) shall apply in relation to
the confidentiality obligation of a DPO within the public sector, instead of article 37 GDPR.
COLLECTION & PROCESSING
Data protection principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sweden 996 | | | www.dlapiperdataprotection.com
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the GDPR. Organisations must not only comply with the GDPR but also be able to
compliance perhaps years after a particular decision relating to processing personal data was taken. Record keeping,demonstrate
audit and appropriate governance will all form a key role in achieving accountability.
Legal basis under article 6
In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate
basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are
(Article 6(1)):
with the consent of the data subject (where consent must be ” “, and must befreely given, specific, informed and unambiguous
capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special category data
Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in
effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an
Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to
the aim pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sweden 997 | | | www.dlapiperdataprotection.com
purposes in accordance with restrictions set out in Article 89(1).
Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to
processing genetic data, biometric data and health data.
Criminal convictions and offences data
Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an
official public authority, or specifically authorised by Member State domestic law (Article 10).
Processing for a secondary purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – i.e. use data collected for one purpose for a new purpose which
was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle
of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and
proportionate measure in a democratic society).
Transparency (privacy notices)
The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her
data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily
accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sweden 998 | | | www.dlapiperdataprotection.com
a.
Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the data subject
Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable,
whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to
requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two
months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s
highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results
relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the
search results had no legal basis to process that information.
The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the
data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise
of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).
Right to object (Article 21)
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly significantly
” is only permitted where: affects him or her
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sweden 999 | | | www.dlapiperdataprotection.com
a.
b.
c.
a.
b.
c.
d.
e.
f.
g.
necessary for entering into or performing a contract;
authorised by EU or Member State law; or
the data subject has given their explicit (i.e. opt-in) consent.
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view.
In Sweden, data concerning personal identity numbers / social security numbers may be processed without
consent only where manifestly justified having regard to the purpose of the processing and the importance of
secure identification or some other substantial reason.
Criminal data (Art. 10 GDPR) may be processed by bodies other than public authorities only for the purposes of
establishing, exercising or defending legal claims, or to comply with a legal obligation. The Swedish Authority for
Privacy Protection (the supervisory authority) is entitled to prescribe further derogations to this provision, e.g.
there are exceptions for processing criminal data in whistle blowing systems.
Swedish law may prohibit controllers to disclose certain data to data subjects. This applies to the rights in articles
13-15 of the GDPR.
As regards personal data in text which has not been finalised (e.g. drafts) or memory notes, the right under article
15 in the GDPR will not apply. This exemption may, however, not be relied on by a data controller if such
personal data (i) has been disclosed to a third party, (ii) is processed solely for archiving purposes in the public
interest or for statistical purposes, or (iii) is processed in draft text for more than one year without being
finalised.
TRANSFER
Transfers of personal data by a controller or a processor to third countries outside of the EU (and Norway, Liechtenstein and
Iceland) are only permitted where the conditions laid down in the GDPR are met (Article 44).
The European Commission has the power to make an adequacy decision in respect of a third country, determining that it provides
for an adequate level of data protection, and therefore personal data may be freely transferred to that country (Article 45(1)).
Currently, the following countries or territories enjoy adequacy decisions: Andorra, Argentina, Canada (with some exceptions),
Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand.
Transfers to third countries are also permitted where appropriate safeguards have been provided by the controller or processor
and on condition that enforceable data subject rights and effective legal remedies for the data subject are available. The list of
appropriate safeguards includes amongst others binding corporate rules, standard contractual clauses, and the EU – U.S. Privacy
Shield Framework. The GDPR has removed the need which existed in some Member States under the previous law to notify and
in some cases seek prior approval of standard contractual clauses from supervisory authorities.
The GDPR also includes a list of context specific derogations, permitting transfers to third countries where:
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to EU or Member State law is intended to provide information to the
public, subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sweden 1000 | | | www.dlapiperdataprotection.com
a.
b.
c.
d.
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the EU (Article 48) are only recognised
or enforceable (within the EU) where they are based on an international agreement such as a mutual legal assistance treaty in
force between the requesting third country and the EU or Member State; a transfer in response to such requests where there is
no other legal basis for transfer will infringe the GDPR.
SECURITY
Security
The GDPR is not prescriptive about specific technical standards or measures. Rather, the GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
There are no specific security requirements set out in the DPA. However, it should be noted that certain security related
provisions are prescribed under the Patient Data Act (2008:355) when processing personal data, regarding e.g.
confidentialilty, access, and disclosure. Moreover, a two-factor authentication when accessing special categories of data
over an open network and encryption where sending special categories of data are examples of previous
recommendations from the Datainspektionen (the Swedish supervisory authority).
BREACH NOTIFICATION
The GDPR contains a general requirement for a personal data breach to be notified by the controller to its supervisory authority,
and for more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as
any “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal
” (Article 4).data transmitted, stored or otherwise processed
The controller must notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours
after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and
freedoms of natural persons. When the personal data breach is likely to result in a risk to natural persons, the controller ishigh
also required to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the supervisory authority must include where possible the categories and approximate numbers of individuals
and records concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the
breach and the measures taken to mitigate harm (Article 33(3)).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sweden 1001 | | | www.dlapiperdataprotection.com
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the supervisory authority.
No derogations under Swedish law, except that personal data breaches that fall under the Swedish Criminal Data Act
(2018:1177) shall be reported by public authorities separately in accordance certain provisions of the act.
ENFORCEMENT
Fines
The GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or EUR 20 million
(whichever is higher).
It is the intention of the European Commission that fines should, where appropriate, be imposed by reference to the revenue of
an economic undertaking rather than the revenues of the relevant controller or processor. Recital 150 of the GDPR states that
‘undertaking’ should be understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European
Union, which prohibit anti-competitive agreements between undertakings and abuse of a dominant position. Unhelpfully, the
Treaty does not define ‘undertaking’ and the extensive case-law is not entirely straightforward, with decisions often turning on the
specific facts of each case. However, in many competition cases, group companies have been regarded as part of the same
undertaking. The assessment will turn on the facts of each case, and the first test cases under the GDPR will need to be
scrutinised carefully to understand the interpretation of ‘undertaking’. Under EU competition law case-law, there is also precedent
for regulators to impose joint and several liability on parent companies for fines imposed on those subsidiaries in some
circumstances (broadly where there is participation or control), so-called “look through” liability. Again, it remains to be seen
whether there will be a direct read-across of this principle into GDPR enforcement.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to EUR 20 million or, in the case of an undertaking, up to 4% of total worldwide turnover of
the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by Member State law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to EUR 10 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
Supervisory authorities are not required to impose fines but must ensure in each case that the sanctions imposed are effective,
proportionate and dissuasive (Article 83(1)).
Fines can be imposed in combination with other sanctions.
Investigative and corrective powers
Supervisory authorities also enjoy wide investigative and corrective powers (Article 58) including the power to undertake on-site
data protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sweden 1002 | | | www.dlapiperdataprotection.com
The GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with a supervisory authority (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of a supervisory authority concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
In relation to public authorities, administrative fines under the Swedish DPA may amount to maximum SEK 5 000 000 (in
relation to Article 83(4) GDPR) and SEK 10 000 000 (in relation to Articles 83(5) and 83(6) GDPR).
Moreover, the DPA regulates procedural matters relating to decisions on administrative fines and how to appeal such
decisions made by authorities (for example, the right to appeal to the Swedish Administrative Court).
ELECTRONIC MARKETING
The GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email address
which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the legitimate
interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied upon, the
strict standards for consent under the GDPR are to be noted, and marketing consent forms will invariably need to incorporate
clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and not merely
the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are to be found in Directive
2002/58/EC (“ePrivacy Directive”), as transposed into the local laws of each Member State. The ePrivacy Directive is to be
replaced by a Regulation. However, it is currently uncertain when this is going to happen, as the European Commission has
discarded its draft of the ePrivacy Regulation after disagreements by the Member States in the Council of the European Union. In
the meantime, GDPR Article 94 makes it clear that references to the repealed Directive 95/46/EC will be replaced with references
to the GDPR. As such, references to the Directive 95/46/EC standard for consent in the ePrivacy Directive will be replaced with
the GDPR standard for consent.
The Act applies to most electronic marketing activities, given that it is likely that such marketing involves processing of personal
data (eg. an e-mail address is likely regarded as personal data under the Act). Please note that if the data subject’s e-mail address
has not been obtained in the context of a customer relationship or similar, the data subject’s consent is, as a main rule, required
for electronic marketing. Moreover, a data subject has a right to at any time oppose (‘opt-out’ of) further processing of his or her
personal data for marketing purposes. There is no provision in the DPA which concerns in particular the processing of personal
data in relation to electronic marketing.
There is no provision in the DPA which concerns in particular the processing of personal data in relation to electronic
marketing.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Sweden 1003 | | | www.dlapiperdataprotection.com
There is, however, pre-existing legislation in Sweden (such as the Marketing Act (2008:486) and the Electronic
Communications Act (2003:389)) implementing the EU Directive 2002/58/EC (the “ePrivacy Directive”) which regulates
electronic marketing in Sweden.
Note that certain provisions relating to electronic marketing under Swedish law may be amended in the future due to the
upcoming ePrivacy Regulation which will become immediately enforceable as law in all EU member states.
ONLINE PRIVACY
Pursuant to the Swedish Electronic Communications Act (as amended by e-Privacy Directive 2009/12/EC), a cookie may be stored
on a user’s terminal equipment, only if the user has been given access to information for the purpose of the processing and given
his or her consent, i.e. the user must give his/her prior ‘opt-in’ consent before a cookie is placed on the user’s computer. In its
judgment of 1 October 2019, the European Court of Justice ( ) decided on cookie consent requirements and stated thatECJ
cookie consent must be given by a statement or clear affirmative action (consent cannot be validly obtained through pre-ticked
checkboxes).
Consent is, however, not required for cookies that are:
used for the sole purpose of carrying out the transmission of communication over an electronic communications network;
or
necessary for the provision of a service explicitly requested by the user.
Wilful or negligent breach of the Swedish Electronic Communications Act in this regard is sanctioned with fines, provided that the
offence is not sanctioned by the Swedish Criminal Code (Sw. ). However, if the breach is deemed to be minor, nobrottsbalken
sanction shall be imposed. To our knowledge there has been no case where a website operator has been fined for breach of the
Swedish Electronic Communications Act.
Sweden has set the digital age of consent as 13 in relation to information society services.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Jennie Nilsson
Advokat/Partner
T +46 73 867 67 87
jennie.nilsson@se.dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Switzerland 1004 | | | www.dlapiperdataprotection.com
SWITZERLAND
Last modified 31 December 2021
LAW
The processing of personal data is mainly regulated by the Federal Act on Data Protection of June 19, 1992 ( ) and itsDPA
ordinances, ie, the Ordinance to the Federal Act on Data Protection ( ) and the Ordinance on Data Protection Certification (DPO
).ODPC
In addition, the processing of personal data is further restricted by provisions in other laws, mainly with regard to the public
sector and regulated markets.
It should be noted that the DPA has recently been subject to a substantial revision. On September 15, 2017, the Federal Council
published the final draft and the dispatch to the Federal Parliament regarding the new DPA. In the summer of 2018, the revision
was split into two parts. The first part relates to the implementation of the EU Directive 2016/680 in the context of the
Schengen/Dublin treaty and has no immediate impact on data subjects (as it is generally limited to the federal authorities’
competencies in the context of administrative and judicial assistance in criminal matters). This first part has come into force on
March 1, 2019.
The second part is the actual comprehensive revision of the DPA (based on the draft legislation of September 15, 2017). The
detailed consultation in Parliament started in June 2018. On September 25, 2020, the Parliament has approved the final text of the
revised law, and the referendum period has expired on January 14, 2021. This concludes the legislative project to revise the DPA.
However, the corresponding implementing provisions in the DPO have not yet been enacted. A first draft of the revised DPO
published by the Federal Council has met harsh criticism, in particular regarding far-reaching extensions of obligations which had
no legal basis in the DPA. The Federal Council has taken note of this and is in the process of redrafting the DPO, which is not
expected to be published before spring 2022. As the revised DPA and implementing DPO shall come into force simultaneously, it
is to be expected that they will not enter into force before mid-2022 or even beginning of 2023. It should be noted that the
revised DPA does not provide for a transition period, but will become effective immediately upon its entry into force.
The revision of the DPA aims to strengthen data protection in general and to align the DPA with the requirements of the EU
General Data Protection Regulation ( ), in order to facilitate compliance of Swiss companies with those aspects of theGDPR
GDPR that are applicable to controllers or processors outside of the EU, and to ensure that the EU will continue to consider
Switzerland as providing an adequate level of data protection. However, the revised DPA will still provide for certain deviations
from the GDPR provisions, thus requiring certain “Swiss Add-Ons” in a number of areas.
Territorial scope
The current DPA’s extraterritorial applicability is very limited and based on Swiss private international law. The revised DPA will,
like the GDPR, have an extraterritorial scope and thus be applicable, for instance, to international companies with group entities in
Switzerland or, under certain circumstances, to international companies even without such subsidiary in Switzerland based on
doing business in Switzerland.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Switzerland 1005 | | | www.dlapiperdataprotection.com
In addition, the revised DPA provides that private controllers domiciled abroad must designate a representative in Switzerland if
they process personal data of data subjects in Switzerland and the data processing fulfils all of the following requirements:
The data processing is connected to offering goods or services in Switzerland or to monitoring the behavior of data
subjects in Switzerland.
The processing is extensive.
The processing is regular.
The processing involves a high risk for the personality of the data subjects.
For civil claims, the Swiss conflict of law rules apply.
DEFINITIONS
Definition of personal data
Personal data means all information relating to an identified or identifiable natural or legal person. It should be noted that data
relating to legal entities falls within the scope of current Swiss data protection law, as opposed to the GDPR. However, the
revised DPA will, like the GDPR, apply only to personal data pertaining to individuals.
Definition of sensitive personal data
Sensitive personal data is defined as data on:
Religious, ideological, political or trade union related views or activities
Health, the intimate sphere or racial or ethnic origin
Social security measures
Administrative or criminal proceedings and sanctions
The revised DPA provides that in addition genetic data and biometric data which unequivocally identifies a natural person be
considered “sensitive personal data”.
The current DPA defines “personality profiles” as collections of data that permit an assessment of essential characteristics of the
personality of a natural person and assigns them the same level of protection as “sensitive personal data”.
The revised DPA will replace the concept of “personality profiles” with the concept of “profiling”, similar to that notion under the
GDPR, with “high-risk profiling” (entailing a high risk to the personality or fundamental rights of the data subject) being subject to
more stringent requirements similar to “sensitive personal data”.
NATIONAL DATA PROTECTION AUTHORITY
Federal Data Protection and Information Commissioner (FDPIC)
Feldeggweg 1
CH – 3003 Berne Switzerland
T +41 (0)58 462 43 95
F +41 (0)58 465 99 96
The FDPIC supervises federal and private bodies, advises and comments on the legal provisions on data protection and assists
federal and cantonal authorities in the field of data protection.
The FDPIC informs the public about his findings and recommendations, and maintains and publishes the register for data files.
Under the revised DPA the FDPIC’s supervisory powers will be extended.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Switzerland 1006 | | | www.dlapiperdataprotection.com
REGISTRATION
Under the current DPA the processing of personal data by private persons does not usually have to be notified or registered,
respectively. However, private persons must register their data files before the data files are opened, if:
They regularly process sensitive personal data or personality profiles, or
They regularly disclose personal data to third parties;
…and if none of the following exemptions applies:
The data is processed pursuant to a statutory obligation.
The Swiss Federal Council has exempted the particular processing from the registration requirement because it does not
prejudice the rights of the data subjects (which the Swiss Federal Council has done in the DPO, , regarding datainter alia
files from suppliers or customers, provided they do not contain any sensitive personal data or personality profiles).
The data controller uses the data exclusively for publication in the edited section of a periodically published medium and
does not pass on any data to third parties without informing the data subjects.
The data is processed by journalists who use the data file exclusively as a personal work aid.
The data controller has designated a data protection officer who independently monitors internal compliance with data
protection regulations and maintains a list of the data files.
The data controller has acquired a data protection quality mark under a certification procedure and has notified the
FDPIC of the result of the evaluation.
The revised DPA provides for a general duty for controllers and processors to maintain a list of processing activities with certain
minimal information, whereby the Federal Council may provide for exceptions for companies with less than 250 employees and
whose processing entails only a low risk of infringing the personality of the data subjects.
DATA PROTECTION OFFICERS
There is no requirement under the current and the revised Swiss data protection law to appoint a data protection officer.
However, under the current law a data controller can be dispensed from registering its data files if it has designated a data
protection officer who:
Carries out his / her duties autonomously and independently
Has a certain level of expertise that is appropriate for the relevant data processing at the company (whereas it is not
relevant whether or not the respective expertise was acquired in Switzerland)
Must check and audit the processing of personal data within the company
Must be in a position to recommend corrective measures when detecting any breaches of applicable data protection rules
Must have access to all data files and all data processing within the company as well as to all other information that he/she
requires to fulfill his/her duties
Must maintain records of all data files controlled by the company and provide this list to the FDPIC or affected data
subjects upon request, and
May not carry out any other activities that are incompatible with his/her duties as data protection officer
The data controller must notify the FDPIC of the appointment of a data protection officer and thereupon such data controller will
be listed on the public list of companies exempt from the requirement to register their data files.
The revised DPA also provides that controllers have the option to appoint a data protection officer whose contact data may be
published and notified to the FDPIC. In such case, the controller has no obligation to consult with the FDPIC in the event that a
data protection impact assessment indicates a significant risk to the personality or the fundamental rights of the data subject.
COLLECTION & PROCESSING
Data Processing Principles
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Switzerland 1007 | | | www.dlapiperdataprotection.com
The following principles apply to the collection and processing of personal data (while under current law personal data of legal
entities is included, the revised DPA will apply only to personal data pertaining to individuals):
Personal data may only be processed lawfully, in good faith and according to the principle of proportionality. In addition,
the revised DPA introduces the concepts of privacy by design and default.
The collection of personal data and, in particular, the purpose of its processing must be evident to the data subject. In
addition, the revised DPA explicitly introduces the following duties on data controllers:
Duty to inform the data subject on the collection of personal data similar as under the GDPR, with the list of
minimum information being shorter (however providing for information on the countries of processing), but
drafted more openly with a non-exhaustive list of minimum information;
Under certain circumstances the duty to inform the data subject on decisions based solely on automated
processing that have legal consequences or significant impact on the data subject (automated individual decision).
Personal data should only be processed for a purpose that is indicated or agreed at the time of collection, evident from
the circumstances at the time of collection, or provided for by law.
The data controller and any processor must ensure that the data processed is accurate. Personal data must not be
transferred abroad if the privacy of the data subject may be seriously endangered (see below).
Personal data must be protected from unauthorized processing by appropriate technical and organizational measures.
Personal data must not be processed against the explicit will of the data subject, unless this is justified by:
An overriding private or public interest, or
law, and
Sensitive personal data or personality files must not be disclosed to a third party, unless this is justified by:
the consent of the data subject (which must be given expressly in addition to being voluntary and based on
adequate information)
an overriding private or public interest
Whilst the current DPA does not provide for a formal duty to conduct a data protection impact assessment, the revised DPA
introduces such formal obligation if the processing may constitute a high risk for the personality or the fundamental rights of the
data subject (particularly when new technologies are used) and also defines specific cases where a data protection impact
assessment is necessary, including in the event of processing sensitive personal data on a broad scale and systematic surveillance of
extensive public areas. The FDPIC generally needs to be notified if the data protection impact assessment shows that the
processing presents a high risk for the personality or fundamental rights of the data subject despite the measures envisaged by the
controller.
Rights of the Data Subject
Data subjects enjoy certain rights to control the processing of their personal data:
Right of access
A data subject is generally entitled to request access to, and obtain a copy of, his or her personal data that is contained in a “data
file” (or, under the revised DPA, that is being processed), together with prescribed information on the identity and contact details
of the controller, the source of the data, the purpose of, and if applicable the legal basis for, the processing as well as the
categories of personal data processed, the other parties involved with the file and the data recipients. The revised DPA requires
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Switzerland 1008 | | | www.dlapiperdataprotection.com
additionally that the period of storage of personal data (or the criteria used to determine such period) and, if applicable, the
existence of an automated individual decision as well as the logic on which the decision is based is provided to the data subject.
There are certain exceptions, eg a data controller may invoke its own overriding interests, however only if it does not disclose the
personal data to third parties (whereby companies controlled by the same legal entity are not considered third parties under the
revised DPA).
Right to rectify / Right to erasure / Right to restriction of processing / Right to object
Data subjects may generally require inaccurate or incomplete personal data to be corrected or complemented. In addition, the
above-mentioned rights may arise from the general data protection principles, in particular the principle of proportionality (i.e. the
data must only be processed to the extent and as long it is required to achieve the legitimate processing purpose). The revised
DPA explicitly states that data must be erased or anonymized once it is no longer required to achieve the processing purpose.
Right to data portability
Whilst current data protection law does not explicitly provide for any right to data portability, the revised DPA introduces such a
right similar as in the GDPR.
TRANSFER
Personal data may be transferred outside Switzerland if the destination country offers an adequate level of data protection. The
FDPIC maintains and publishes a non-binding list of such countries (the revised DPA provides for binding adequacy decisions by
the Federal Council). It should be noted that, under Swiss data protection law, remote access to data residing in Switzerland from
outside of Switzerland is considered a transfer / disclosure abroad.
The FDPIC deems the data protection legislation of all EU and EEA countries to be adequate with regard to personal data of
individuals. With regard to personal data of legal entities, this is not the case, as pursuant to the corresponding list of “safe
countries” published by the FDPIC (which is, however, neither binding nor exhaustive) only the data protection law of Argentina
covers personal data pertaining to legal entities as well (regarding legal entities domiciled in Argentina) and is thus deemed to
provide an adequate level of data protection.
In the absence of legislation that guarantees adequate protection, personal data pertaining to individuals or, under current Swiss
data protection law, to legal entities, may be disclosed abroad only if at least one of the following conditions is fulfilled:
Sufficient safeguards, such as data transfer agreements, or other contractual clauses, ensure an adequate level of
protection abroad. Under the current DPA, data transfer agreements or other contractual clauses must be notified and
submitted for approval to the FDPIC whereas mere information will suffice if model clauses acknowledged by the FDPIC
are used, e.g. such as the EU Standard Contractual Clauses (” “) with the necessary amendments for Switzerland. OnSCC
June 4, 2021, the European Commission has issued new SCC. According to the FDPIC, these new SCC can also be used
to safeguard cross-border data transfers from Switzerland to countries without an adequate level of data protection,
provided they are (slightly) amended to comply with the DPA. “Old” safeguards based on the former SCC may, as of
October 2021, no longer be used for new data transfers. For existing data transfers put in place before October 2021,
they may still be used, provided there are no substantial changes to the data transfers in question, until the end of 2022.
As of January 1, 2023, they will have to be replaced by safeguards based on the new SCC, with the necessary amendments
for Switzerland. Under the revised DPA, the FDPIC will not have to be notified about the implementation of SCC
anymore, to the extent he has previously approved, issued or recognized the corresponding model clauses. Safeguards
based on the new EU SCC (amended for Switzerland) will thus not have to be notified anymore under the revised DPA.
Binding corporate rules that ensure an adequate level of data protection in cross-border data flows within a single legal
entity or a group of affiliated companies. Such rules must be notified to the FDPIC.
The data subject consents to the particular data export (consent must be given for each individual case or, according to
legal doctrine and practice, for a number of cases under the same specific circumstances, eg, data export for certain
specifically defined purposes; in contrast, a generic consent which does not further specify the circumstances under which
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Switzerland 1009 | | | www.dlapiperdataprotection.com
data is disclosed is not sufficient). The revised DPA provides that the consent must be explicit.
The processing is directly connected with the conclusion or performance of a contract with the data subject.
The disclosure is essential in order to safeguard an overriding public interest or for the establishment, exercise or
enforcement of legal rights before the courts (the revised DPA extends the derogations to include the establishment,
exercise or enforcement of legal rights before other competent foreign authorities, i.e. not necessarily courts).
The disclosure is required in order to protect the life or the physical integrity of the data subject (or, under the revised
DPA, of a third party).
The data subject has made the personal data publicly accessible and has not expressly prohibited its processing.
Under the current DPA, only the violation of the notification obligation relating to safeguards for cross-border transfers is subject
to sanctions, whereas under the revised DPA, violations of the obligations regarding cross-border transfers of personal data
themselves will be subject to sanctions.
Regarding cross-border data transfers to the US, it is to be noted that the Swiss-US Privacy Shield is no longer considered a
sufficient measure: According to the FDPIC’s position paper of September 8, 2020, the Swiss-US Privacy Shield regime does not
provide an adequate level of protection for data transfers from Switzerland to the US pursuant to the DPA. The FDPIC has thus
followed the ECJ decision (regarding the inadequacy of the EU-US Privacy Shield) for the Swiss-US Privacy Shield as well.
SECURITY
The data controller and any processor must take adequate technical and organizational measures to protect personal data against
unauthorized processing and ensure its confidentiality, availability and integrity. In particular, personal data must be protected
against the following risks:
Unauthorized or accidental destruction
Accidental loss
Technical errors
Forgery, theft or unlawful use
Unauthorized altering, copying, accessing or other unauthorized processing
The technical and organizational measures must be appropriate, in particular with regard to the purposes of the data processing,
the scope and manner of the data processing, the risks for the data subjects and the current technological standards. The DPO
sets out these requirements in more detail.
The revised DPO may impose additional or other minimum requirements. A draft version of the DPO has been published, but
met harsh criticism in the consultation process, in particular as it contained further obligations without legal basis in the underlying
DPA. It is expected that the DPO will be redrafted substantially before being enacted.
Under the revised DPA, violations of the minimum data security requirements (which yet remain to be defined in detail by the
Federal Council) will be subject to sanctions.
BREACH NOTIFICATION
The current DPA does not impose an explicit statutory requirement to notify the FDPIC or the affected data subjects of data
security breaches. However, depending on the scale and severity of a breach, a notification of the data subjects may be necessary
based on the data controller’s and processor’s obligation to ensure data security (to avoid further damage), the principle of good
faith or pursuant to contractual obligations.
The revised DPA introduces the obligation to notify the FDPIC of any data breach, however only if the breach is probable to
result in a high risk to the personality rights or the fundamental rights of the data subject. The notification has to occur as soon as
possible. In addition, a formal obligation to notify the data subject exists under the revised DPA in case that such notification is
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Switzerland 1010 | | | www.dlapiperdataprotection.com
necessary to protect the data subject’s interests or if the FDPIC so requests.
ENFORCEMENT
Investigations by the FDPIC
Under current data protection law the FDPIC does not have specific direct powers to enforce the DPA. He may investigate cases
on his own initiative or at the request of a third party and may issue recommendations that a specific data processing practice be
changed or abandoned. If the FDPIC’s recommendation is not complied with, he may refer the matter to the Swiss Federal
Administrative Court for a decision.
In a recent proceeding that concluded with a final report on August 4, 2021, the FDPIC addressed privacy concerns regarding a
contact tracing app for restaurants and other venues which had been developed by a private company in the context of the
COVID-19 pandemic. The FDPIC identified numerous shortcomings regarding the tracing app, such as organizational and technical
deficiencies. His investigation also revealed that the company granted authorities of two cantons direct access to the central
database, making it available for almost any person-related queries, thereby violating the principle of proportionality. As a result,
personal data was (allegedly) processed for purposes other than those initially intended. Further privacy concerns related to the
completeness of the information provided to users, the transfer of telephone numbers to the USA as part of the number
verification process, and the configuration of the platform on which the central database was located.
After a lengthy procedure, the FDPIC issued ten recommendations, the majority of which were accepted and implemented by the
company in question. Some of the deficiencies were initially disputed, but later acknowledged and, according to the company’s
own statement, resolved. The FDPIC reserved the right to verify the implementation of his recommendations as part of follow-up
inspections. To the extent that his recommendations were not fully acknowledged by the company, the FDPIC has also reserved
the right to conduct follow-up checks and, if necessary, to bring an action before the Federal Administrative Court, which could
then issue a (legally binding) decision.
The revised DPA will extend the FDPIC’s supervisory powers: In particular, the FDPIC may under certain conditions initiate an
investigation against a federal body or a private person and will have the authority to directly issue orders and warnings. With
regard to the above-mentioned investigation regarding the contact tracing app, the revised DPA would allow the FDPIC, for
example, to directly order that certain data processing activities be adjusted, suspended or terminated, without having to first
issue (non-binding) recommendations only and then, to the extent necessary, involve the Federal Administrative Court.
Sanctions
The current DPA provides for criminal liability and fines of up to CHF 10,000 if a private person intentionally fails to comply with
the following obligations under the DPA:
Duty to provide information when collecting sensitive data and personality profiles
Duty to safeguard the data subject’s right to information
Obligation to notify the FDPIC with regard to contractual clauses or binding corporate rules in connection with data
transfers abroad
Obligation to register data files, or
Duty to cooperate in an FDPIC investigation
Furthermore, the DPA provides for criminal liability and fines of up to CHF10,000 if a private person willfully discloses
confidential, sensitive personal data or personality profiles that have come to his or her knowledge in the course of his or her
professional activities, where such activities require the knowledge of such data, or in the course of his or her activities for a
person bound by professional secrecy obligations or in the course of training with such a person.
Criminal proceedings must be initiated by the competent cantonal prosecution authority.
Under the revised DPA a number of violations of the DPA or lack of cooperation with the FDPIC can result in criminal fines of up
to CHF 250,000 against responsible individuals (acting intentionally).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Switzerland 1011 | | | www.dlapiperdataprotection.com
Finally, under Swiss civil law the data subject may apply for injunctive relief and may file a claim for damages as well as satisfaction
and/or surrender of profits based on the infringement of his/her privacy.
ELECTRONIC MARKETING
Electronic marketing practices must comply with the provisions of the Swiss Federal Act against Unfair Competition ( ).UCA
With regard to the sending of unsolicited automated mass advertisement (which, in addition to emails, includes SMS, automated
calls and fax messages), the UCA generally requires prior consent by the recipient, ie, ‘opt-in’. As an exception, mass advertisings
may be sent without the consent of the recipient:
If the sender received the contact information in the course of a sale of his / her products or services
If the recipient was given the opportunity to refuse the use of his / her contact information upon collection (opt-out), and
If the mass advertising relates to similar products or services of the sender
In addition, mass advertising emails must contain the sender’s correct name, address and email contact and must provide for an
easy-access and free of charge ‘opt-out’ from receiving future advertisements.
The UCA generally applies to business-consumer relationships as well as to business-business relationships, ie, mass
advertisements sent to individuals and to corporations are subject to the same rules.
Direct marketing by telephone is not impermissible in Switzerland as long as it is not done in an aggressive way (eg, by per se
repeatedly calling the same person). However, the current UCA in its latest revision prohibits direct marketing by telephone:
if the recipient is not listed in the Swiss telephone directory or if the recipient is listed in the Swiss telephone directory,
but has indicated that he/she does not wish to receive advertising from persons with whom he/she has no business
relationship; or
if the caller is not calling from a telephone number that (i) is listed in the Swiss telephone directory, (ii) is shown when
calling, and (iii) he/she is entitled to use.
In order to enforce the above criteria, the revised UCA not only sanctions the violation of these principles, but also the use of
information that has been obtained in violation thereof (e.g. someone using the information obtained from non-compliant call
centers). An intentional violation can be sanctioned with a custodial sentence of up to three years or a monetary penalty.
In addition to the rules of the UCA, the general data protection principles under the DPA also apply with regard to electronic
marketing activities, eg, the collection and maintenance of email addresses or processing of any other personal data.
ONLINE PRIVACY
The processing of personal data in the context of online services is subject to the general rules pertaining to the collection of
personal data under the DPA. In addition, certain aspects of online privacy are covered by other regulations, such as the use of
cookies which is also subject to the Swiss Telecommunications Act (TCA).
Under the TCA, the use of cookies is considered to be processing of data on external equipment, eg, another person’s computer.
Such processing is only permitted if users are informed about the processing and its purpose as well as about the means to refuse
the processing, eg, by configuring their web browser to reject cookies.
In addition, the general rules under the DPA apply where cookies collect data related to persons who are identified or identifiable,
ie, personal data. The collection of personal data through cookies as well as the purpose of such a collection must be evident to
the data subject. The personal data collected may only be processed for the purpose:
Indicated at the time of collection,
That is evident from the circumstances, or
That is provided for by law.
Where the personal data collected through a cookie is (a) considered sensitive data, eg, data regarding religious, ideological,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Switzerland 1012 | | | www.dlapiperdataprotection.com
political views or activities, or (b) so comprehensive that it forms a personality profile, ie, permits an assessment of essential
characteristics of the personality of a person, or (under the revised DPA) is considered resulting from high-risk profiling, then
regarding both (a) and (b) the stricter rules pertaining to the processing of sensitive personal data are applicable.
These stricter rules provide, , that the data subject must be informed of: inter alia
The identity of the data controller
The purpose of data processing, and
The categories of data recipients if the data shall be disclosed to third parties.
The revised DPA will contain a number of information obligations the violation of which will be subject to sanctions. Furthermore,
in relation to the processing of sensitive personal data or personality profiles, or (under the revised DPA) in relation to high-risk
profiling implied consent is not sufficient; consent must be given expressly.
KEY CONTACTS
Schellenberg Wittmer Ltd
www.swlegal.ch/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Roland Mathys
Partner / Attorney at Law
T +41 (0)44 215 3662
roland.mathys@swlegal.ch
Samuel Klaus
Partner / Attorney at Law
T +41 (0)44 215 3695
samuel.klaus@swlegal.ch
Kenzo Thomann
Associate / Attorney at Law
T +41 (0)44 215 3659
kenzo.thomann@swlegal.ch
https://www.dlapiperdataprotection.com
http://www.swlegal.ch/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Taiwan 1013 | | | www.dlapiperdataprotection.com
TAIWAN
Last modified 10 December 2021
LAW
The Taiwan Personal Data Protection Act (“PDPA”) as most recently amended on December 30, 2015 and the Enforcement Rules
of the Personal Data Protection Act (“Enforcement Rules”) as later amended on March 2, 2016.
DEFINITIONS
Definition of personal data
The PDPA defines “personal data” as the name, date of birth, identification card number, passport number, special traits, finger
prints, marital status, family, education, profession, medical history, medical treatment, genetic information, sexual life (including
sexual orientation), health examination, criminal record, contact information, financial condition, and social activities of a natural
person, as well as other data by which such person may be directly or indirectly identified.
Definition of sensitive personal data
The PDPA defines “sensitive personal data” as medical records, medical treatment, genetic information, sexual life (including sexual
orientation) and health examination and criminal records.
NATIONAL DATA PROTECTION AUTHORITY
The regulatory body with overall responsibility for data protection is the National Development Council. However, the authority
with jurisdiction over the relevant data collector has primary enforcement responsibility (e.g. the Financial Supervisory
Commission has the primary enforcement responsibility financial institutions). vis-á-vis
REGISTRATION
Taiwan does not have a registration system for personal data protection.
DATA PROTECTION OFFICERS
The PDPA does not impose a general requirement to have a data protection officer. However, there are industry specific
regulations in certain industries (such financial institutions or airlines) requiring personnel to handle personal data protection
matters.
COLLECTION & PROCESSING
Under the PDPA, in order to collect, process and use personal data, the data collector is required to give a data subject a privacy
notice at the time the data subject’s personal data is first collected. Such privacy notice is required, to contain: inter alia,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Taiwan 1014 | | | www.dlapiperdataprotection.com
the name of the data collector
the purpose of collection
classification of personal data to be collected
time period for the use, geographical area of the use, recipients of the data and the manner of using personal data
the rights of the data subject to request to review his/her personal data, to make copies of such personal data, to
supplement or correct such personal data, to discontinue collection, processing or use of personal data or to delete such
personal data, together with the manner in which the data subject makes such requests, and
the impact on the data subject’s rights and interests if the data subject chooses not to provide his/her personal data.
As long as the privacy notice is given when first collecting the personal data, and the privacy notice meets the content
requirements set out in the PDPA, the privacy notice is by itself considered sufficient (i.e. consent is not required). This is unless
sensitive personal data is collected, in which case data subject consent is required.
TRANSFER
The privacy notice to data subjects must set out the extent to which personal data will be transferred to others.
Cross-border transmissions of personal data are regulated by the PDPA. The Taiwan authorities may restrict the cross-border
transmission and use of personal data in the following circumstances:
when a substantial interest of Taiwan is at stake;
as provided under an international treaty or agreement (as at December 10, 2021, there are no such treaties or
agreements in place);
when the receiving country lacks proper laws or regulations adequately to protect personal data or where infringement of
the rights and interests of the data subject is threatened; or
the purpose of the transfer is to evade the application of the PDPA.
The Taiwan National Communications Commission (NCC) issued an order in 2012 prohibiting communications enterprises from
transferring subscribers’ personal data to mainland China on the grounds that the personal data protection laws in mainland China
were still inadequate. As at December 10, 2021, there are no other restrictions or prohibitions on the cross-border transfers to
any country/area.
SECURITY
A data collector is required to adopt proper security measures to prevent personal data from being stolen, altered, damaged,
destroyed or disclosed.
In addition, the relevant competent authority at the central government level may designate certain data collectors for setting up
plans of security measures for personal data files or the disposal measures for personal data after termination of business. As at
December 10, 2021, industry specific guidelines governing the plan of security measures for personal data files have been
promulgated for many industries, including for financial institutions, human resources recruitment business, hospitals,
manufacturers, and others.
BREACH NOTIFICATION
Upon a data breach, the data collector is required to promptly notify the data subject of:
the fact of the infringement
the measures the data collector has taken to respond to such infringement, and
the contact information of the data collector.
The notice may be made orally, by written document, telephone, text message, email, facsimile, electronic record, or in another
manner which the data subject can receive such notice. If the cost of notifying each data subject is “too high”, such notice may be
made via the Internet or news media.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Taiwan 1015 | | | www.dlapiperdataprotection.com
In addition, the data collector in certain industries (e.g. travel agents, financial institutions) is required to report to their respective
industry regulator and, where it is required to do so, the report to the industry regulator needs to include:
the fact that personal data may have been compromised
the measures the data collector has taken to respond to such compromise (including evidence that the data collector has
notified the affected individuals)
the investigation by the data collector (or any outside forensic firm) as to how the data breach occurred
the preventive measure(s) the data collector will take to prevent recurrence of data breach in the future, and
any other information that the industry regulator may require on a case-by-case basis.
In September 2021, steps were taken by the Taiwan authorities to expand the material data breach reporting obligations of
security service providers, pawnshops and financial institutions by (i) requiring such enterprises to report material data breaches
to the relevant industry competent authority within a specified period (e.g. 72 hours) and (ii) requiring such competent authorities
to further report such breach to the National Development Council within 72 hours of becoming aware of the breach. Such steps
are now being implemented or will shortly become effective.
ENFORCEMENT
In addition to civil damages, violations of the PDPA, depending on the specific violation, are also subject to administrative sanctions
and criminal sanctions and, in some cases, imprisonment.
Civil damages
If a data collector intentionally or negligently violates any provision of the PDPA and such violation causes illegal collection,
processing or use of personal data or other infringement to a data subject, the data collector is liable to compensate the data
subject for the damages suffered. Compensation may be both monetary and in the form of corrective measures (e.g. to rectify
damage to the data subject’s reputation).
Where the victims may not have access to or cannot provide evidence for the amount of actual damage, the minimum amount is
NT$500 (approx. US$18 as at December 10, 2021) and the maximum is NT$20,000 (approx. US$690 as at December 10, 2021)
per violation/per injured party depending on the severity of the infringement. In the case of class actions, the aggregate total
compensation to the class as a whole is limited to NT$200,000,000 (approx. US$6,900,000 as at December 10, 2021). However,
one should not necessarily rely on these limits because the maxima do not apply if it can be proven that a higher amount is
appropriate. Furthermore, the limits may be circumvented by resorting to general causes of action in tort over and above the
specific statutory cause of action created by the PDPA.
Administrative sanctions
A regulatory body may impose administrative fines on a data collector in violation of the PDPA ranging from NT$20,000 (approx.
US$690 as at December 10, 2021) to NT$500,000 (approx. US$17,300 as at December 10, 2021) per violation. These
administrative fines may be imposed repeatedly until the violation is cured.
Also, the representative, managers or other persons having authority of the data collector which violates the PDPA are subject to
the same administrative fines as the data collector itself, unless it is proven that the relevant representative, manager or other
person having authority had properly performed his/her duties. There is no definition of representative, manager or other person
having authority but generally such terms are understood to refer to the chairman and the general manager of the company.
Criminal sanctions
A person who, with the intention to gain “benefit” for themself or a third party or to “harm” the interests of others, violates
certain requirements as set out in the PDPA or conducts a prohibited cross-border transfer of personal data may be punished by
up to five years’ imprisonment and/or fines of up to NT$1,000,000 (approx. US$35,000 as at December 10, 2021). In addition, the
acquisition, dissemination, alteration, compromise of the accuracy of, or deletion of personal data with the intent to gain “benefit”
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Taiwan 1016 | | | www.dlapiperdataprotection.com
for themself or a third party or to “harm” the interests of others, in circumstances which is sufficient to cause damage to others,
may also be punished by imprisonment for up to five years and/or fines of up to NT$1,000,000 (approx. US$35,000 as at
December 10, 2021).
ELECTRONIC MARKETING
If a data collector wishes to use a data subject’s personal data for the purpose of direct marketing whether electronic or
otherwise, such data collector is required to give the data subject a privacy notice (see ).Collection and Processing
If a data subject requests the data controller to cease direct marketing, the data collector must stop using the data subject’s
personal data for marketing.
In this regard, when a data collector uses personal data of a data subject to conduct marketing for the first time, the data collector
must advise the data subject that they have the right to require cessation of the marketing and provide the data subject with
information as to how to exercise such right. Also, the data collector must bear the cost of the first cessation request (e.g. by
providing a toll-free line to call or a stamped pre-addressed envelope for return mail).
ONLINE PRIVACY
Although the PDPA does not specifically regulate online privacy, cookies and location data could be considered as social activities
of a natural person by which such person may be directly or indirectly identified, as such the PDPA may apply to online privacy.
KEY CONTACTS
Russin & Vecchi
www.rvlaw.ru/taipei
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Phoebe Yu
Partner
Russin & Vecchi
T +886-2-2713-6110
pyu@russinvecchi.com.tw
Helen Wang
Associate
Russin & Vecchi
T +886-2-2713-6110
hwang@russinvecchi.com.tw
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/taiwan/collection-and-processing.html
https://www.rvlaw.ru/taipei
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tajikistan 1017 | | | www.dlapiperdataprotection.com
TAJIKISTAN
Last modified 14 January 2020
LAW
Personal Data Protection Law, No.1537 of 3 August 2018
Protection Data Law, No.631 of 15 May 2002
Informatization Law, No. 40 of 6 August 2001 – Legislation has passed (April 04, 2019, No 1595) that amends and
supplements the Informatization Law but the amendments are only of a terminological nature.
Information Law, No.609 of 10 May, 2002
Regulation on Certification of Information Security Facilities, Attestation of Information Objects and the Procedure for
Their State Registration, No.404 of 1 October 2004
The List of Information Security Facilities Subject to State Certification, No.424 of 24 February 2008
DEFINITIONS
Personal Data Protection Law (hereinafter ‘ ‘) identifies personal data as any information about the facts, events andPDPL
circumstances of the life of a data subject, which allow to identify him/her.
Under the foregoing law the data subject is considered a physical person, to whom relevant personal data refers.
PDPL does not define the term of sensitive data. However it provides the definition of biometric personal data which includes
biometrical and physiological data which identifies the data subject. Biometric personal data may be collected upon receipt of the
subject’s consent.
NATIONAL DATA PROTECTION AUTHORITY
The Main Department for the Protection of State Secrets under the Government of the Republic of Tajikistan (hereafter
‘Regulator’).
Address:
F.Niyozi 37
Dushanbe, Tajikistan
734001
Tel: +(992 37) 2-27-86-17
info@ggs.tj
Website
REGISTRATION
Under PDPL pre-notification of the Regulator while collecting, processing or maintaining a database consisting of personal data is
https://www.dlapiperdataprotection.com
http://ggs.tj/index.php/tj/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tajikistan 1018 | | | www.dlapiperdataprotection.com
not required.
However, Data Protection Law requires to certify all information security facilities (including cryptographic, software,
organizational, technical and hardware-based), as well as foreign made facilities designated for the protection of information.
The list of information protection facilities is set forth by the Main Department for the Protection of State Secrets under the
Government of the Republic of Tajikistan (Regulator). Certification is carried out on the basis of an agreement concluded between
Regulator and data controller.
DATA PROTECTION OFFICERS
Tajik law does not require to appoint any Data Protection Officer or any similar positions.
COLLECTION & PROCESSING
PDPL provides the following definitions of collection and processing of personal data:
Collection of personal data is an action aimed at receiving personal data
Processing of personal data are actions aimed at:
Recording
Systemization
Storage
Amendment
Replenishment
Extraction
Usage
Spread
Impersonation
Blocking, and
Destruction of personal data
Collection and processing of personal data is allowed when the following conditions are met:
The data subject’s consent or that of his / her legal representatives
The processed and collected information is in compliance with the lawful aims of the data controller
The processed and collected information is accurate and complete
The data subject has access to the processed and collected data relating to him / her and has the right to require
rectification of the relevant information
The data collector has duly certified all the relevant equipments and facilities designated for processing and collection of
data with the Regulator
Article 11 of the PDPL entitles the data collector to process personal data without receiving the data subject’s consent, if it is
necessary for governmental authorities to carry out their functions or for the purpose of protecting the constitution rights and
freedom of the citizens.
TRANSFER
Transfer of personal data is allowed if the rights and freedom of the data subject are not violated. With regard to cross-border
transfers of personal data the PDPL does not impose any restrictions on the data controller if the foreign country provides
adequate protection of personal data.
Where there is no adequate protection of personal data, a cross border transfer is permitted in the following cases:
The data subject’s consent is obtained
The transfer is provided pursuant to an international treaty recognized by Tajikistan, or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tajikistan 1019 | | | www.dlapiperdataprotection.com
The transfer is necessary for the purpose of protecting citizens rights and freedom, health and morality and public order
of the state
SECURITY
The data controller is obliged to take appropriate measures against unauthorized processing, accidental loss, or modification of
personal data.
BREACH NOTIFICATION
Currently, there is no formal requirement in Tajikistan to report data breaches to any authority or data subject.
ENFORCEMENT
Enforcement of Data Protection Law (‘DPL’) is primary done by the Main Department for the Protection of State Secrets under
the government of Tajikistan.
In addition, Tajikistan courts, the Prosecutor’s Office, the Ministry of Internal Affairs and other law enforcement bodies have the
authority to ensure compliance and enforce the provisions of DPL within their competence.
Violations of DPL may result in civil, administrative and criminal sanctions, including:
Administrative fines up to approximately USD1,700
Imprisonment of up to 10 years, and
The right to claim compensation of damages, including emotional distress under civil proceedings
ELECTRONIC MARKETING
Currently, there is no law or regulation in Tajikistan that specifically regulates electronic marketing.
ONLINE PRIVACY
Currently, there is no law or regulation in Tajikistan that specifically regulates online privacy.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Alisher Hoshimov
Senior Associate
Centil Law Firm
T +992900878833
alisher.k@centil.law
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tanzania 1020 | | | www.dlapiperdataprotection.com
TANZANIA
Last modified 21 February 2022
LAW
There is no one specific standalone law on data protection in Tanzania. Article 16 of the Constitution of the United Republic of
Tanzania, 1977 (“ ”) affords a fundamental right to privacy. This right encompasses private and family life, home andConstitution
private communication including mail, telephone communications and emails in the workplace and has wide ranging applications
including data protection.
As a result, there are sector specific legislations which impose data protection principles and rules that should be followed by
those engaged in the processing of personal data, e.g., in the electronic and postal communication sector and the financial sector,
the health sector. Below are examples of some of the applicable laws:
The Electronic and Postal Communications Act, 2010 (“ ”)EPOCA
The Electronic and Postal Communications (Consumer Protection) Regulations, GN. No. 61 of 2018 (“Consumer
”)Protection Regulations
The Electronic and Postal Communications (Licensing) Regulations, 2018 (“ ”)Licensing Regulations
The Electronic and Postal Communications (Computer Emergency Response Team) Regulations, 2018 (“CERT
”)Regulations
The National Payment System Act, 2015 (“ ”)NPS Act
The Bank of Tanzania (Financial Consumer Protection) Regulations, 2019 (“ ”)Financial Consumer Protection
DEFINITIONS
Definition of Personal Data
None. There is no law which defines personal data.
Definition of Sensitive Personal Data
None. There is no which defines sensitive personal data.
NATIONAL DATA PROTECTION AUTHORITY
There is no specific national data protection authority. The relevant authority depends on the affected sector. For instance,
Tanzania Communications Regulatory Authority ( ) is the national data protection authority in relation to electronic andTCRA
postal communications and the Bank of Tanzania ( ) is the national data protection authority for financial services.BOT
REGISTRATION
None. There are no legal obligations for data controllers or processors to register with a supervisory authority.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tanzania 1021 | | | www.dlapiperdataprotection.com
DATA PROTECTION OFFICERS
None. There are no legal requirements on data controllers or processors to designate a data protection officer.
COLLECTION & PROCESSING
The collection, storage and disclosure of information relating to private life interferes with the fundamental right to privacy. Article
16(2) of the Constitution provides that any interference requires justification and must be in accordance with the law (i.e., legal
procedures laid down by state authority).
For instance, EPOCA requires electronic communications services and postal services licensees to collect, process and store
personal data of customers in a manner which is:
lawful and fair;
for identified purposes;
accurate;
protects against improper or accidental disclosure;
in accordance with the consumer’s other rights.[ ] 1
Financial services providers are required to collect personal data of consumers within the limits established by the regulations and
with the consumer’s consent, where applicable. Such data must be used exclusively for the purpose for which data is collected.[ ]2
A financial service provider must make rules for collection and usage of data including means, purpose and types of data that
maybe collected and retained.
Any collection and processing of personal data involving in any other sector must be carried out in accordance with the laws
applicable to that sector.
[1] Regulation 6, Consumer Protection Regulations
[2] Regulation 37 of Financial Consumer Protection Regulations
TRANSFER
Any transfer of personal data requires justification and must be in accordance with the law (i.e., legal procedures laid down by
state authority).
For instance, EPOCA restricts transfers of personal data (including outside Tanzania) by electronic communications services and
postal services licensees. Such data may only be transferred if the following conditions are met:
the transfer is in accordance with the terms and conditions agreed with the data subject; and either
the TCRA has approved or permitted the transfer; or
the transfer is permitted or required by any applicable law.
Financial service providers can only transfer personal data of consumers with the consent of the data subject unless otherwise
authorized by the law or court order.
SECURITY
Article 16 of the Constitution infers that personal data must be collected, processed, and stored in a manner that ensures
appropriate security. This includes protection against unauthorised or unlawful disclosures, processing, accidental loss, destruction,
or damage.
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tanzania 1022 | | | www.dlapiperdataprotection.com
Generally, data controllers are expected notify any personal data breach to the relevant national supervisory authority and, in
certain cases, the affected data subject.
Mandatory breach notification
Electronic communication services providers are required to notify any data security breaches to the Computer Emergency
Response Team and measures undertaken to prevent recurrence of the threat.
ENFORCEMENT
Enforcement powers are found in specific sector legislations. National supervisory authorities have a number of investigative
powers and corrective.
ELECTRONIC MARKETING
Electronic marketing is prohibited unless the consumer consents to the communication and the person sending the same discloses
its identity and purpose at the beginning of the communication and gives an opt-out option to reject further communication.[ ] 1
Financial services providers are prohibited from sharing consumers’ information with a third party for any purpose, including
electronic marketing, unless such information is used for the purpose that is consistent with the purpose for which it was originally
collected and obtains prior written consent of the consumer before using such information for future promotional offers.[ ]2
[1] Section 32(1), Electronic Transactions Act, 2015 and Regulation 9(3), VAS Regulations
[2] Regulation 39(b) and (c), Financial Consumer Protection Regulations
ONLINE PRIVACY
Every data collector and processor has a general obligation to ensure any confidential information it collects, maintains or
processes is protected against improper or accidental disclosure.
Licensed online content service providers are required to ensure that online contents are safe, secure and do not contravene the
provisions of any law. They are also required to use passwords to protect any user equipment, access equipment or hardware and
prevent unauthorized access or use by unintended persons.[ ] 1
Payment system providers are required to protect privacy of any participant and customer information and not disclose such
information unless the disclosure is in compliance with the law, an order of a court or with the express consent of the system
participant or consumer concerned.[ ]2
[1] Regulation 9(a) and (i), Online Content Regulations
[2] Section 47, NPS Act
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tanzania 1023 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DLA Piper Africa, IMMMA Advocates
www.dlapiperafrica.co.tz/en/tanzania/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Madina Chenge
Partner
DLA Piper Africa, IMMMA Advocates
T +255 22 2211080/1/2/3
chenge@immma.co.tz
Miriam Bachuba
Senior Associate
DLA Piper Africa, IMMMA Advocates
T +255 22 2211080/1/2/3
bachubam@immma.co.tz
https://www.dlapiperdataprotection.com
https://www.dlapiperafrica.co.tz/en/tanzania/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Thailand 1024 | | | www.dlapiperdataprotection.com
THAILAND
Last modified 13 January 2022
LAW
On 28 May 2019, the Personal Data Protection Act ( ) became law in Thailand. There was an original one-year grace”PDPA”
period for the formation of the Personal Data Protection Committee and the issuance of subordinate regulations, as well as for
organisations to become compliant with the PDPA. However, on 21 May 2020, the Royal Decree Establishing Organisations and
Businesses that the Personal Data Controllers are Exempted from the Applicability of the PDPA B.E. 2563 (2020) (“Royal
) was published in the Royal Gazette, which effectively extended the implementation of the key provisions of theDecree”
PDPA until 31 May 2021. On 8 May 2021, an amendment to the Royal Decree was published in the Royal Gazette (Royal Decree
No.2), which postpone the full enforcement of the PDPA for another year, making the PDPA fully enforceable from 1 June 2022
onwards.
The Ministry of Digital Economy and Society (” “) has requested for the extension/postponement of the full enforcement ofMDES
the PDPA, citing that the impact of the COVID-19 pandemic on organisations in Thailand, more specifically the MDES recognised
that it would be too onerous for business operators (especially SMEs) to comply with the requirements under the PDPA, on top
of dealing with the COVID-19 situation. Therefore, the extension/postponement was for the benefit of the business operators.
Public hearings have been held by the MDES, since the end of last year and throughout this year, in relation to the issuance of the
subordinate regulations of the PDPA. However, as of present, no subordinate regulations have been issued as the Personal Data
Protection Committee is in the process of being established.
Key principles under the PDPA are highly influenced by the EU General Data Protection Regulation (often referred to as GDPR)
regime, but with some key local differences. The PDPA acknowledges individual data subjects’ right to control how their personal
data is collected, stored, processed and disseminated by data controllers, provides lawful bases for processing of personal data as
well as prescribes the duties and responsibilities of data controllers and processors. Whilst Thailand has adapted several concepts
from the GDPR, there are still some unique national perspectives in the provisions of privacy notice and data subject rights,
notably as regards consent. The data protection obligations under the PDPA generally apply to all organisations that collect, use or
disclose personal data in Thailand or of Thai residents, regardless of whether they are formed or recognised under Thai law, and
whether they are resident or have a business presence in Thailand. This extraterritorial scope of the PDPA represents a significant
expansion of Thailand’s data protection obligations to cover all processing activities relating to Thailand-based data subjects.
Data controllers are permitted to continue to process personal data collected before 1 June 2022 if the purpose for which the
personal data was collected remains the same. However, data controllers must publicise a consent withdrawal method and notify
the data subjects of the same so that data subjects have the option to withdraw their consent/opt-out. However, if a data
controller uses or discloses personal data beyond the original purpose for which the data subjects had previously given consent,
further specific consent is required for each separate purpose.
DEFINITIONS
Data Controller is defined as “a person or juristic person who determines the purposes for which and the manner in which any personal
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Thailand 1025 | | | www.dlapiperdataprotection.com
Data Controllers have primary responsibility for ensuring that processing activities are compliantdata are, or are to be processed.”
with the PDPA.
Data Processor is defined as “a person or an entity that collects, uses, or discloses personal data on behalf of, or in accordance with, the
Data Processors have direct liability under the PDPA in areas such as (this is not exhaustive) datainstructions of a Data Controller.”
security, data transfer and record keeping.
Personal Data is defined as “any data pertaining to a person that enables the identification of that person, whether directly or indirectly,
but specifically excluding data of the deceased.”
Sensitive Personal Data is defined as “personal data relating to a person’s race, ethnicity, political opinion, cult, religious or
philosophical beliefs, sexual behaviour, criminal records, health, disability, labour union, genetics, biometric or any data which may affect the
The PDPA requires Sensitive Personal Data to be handled carefully. Wedata subject in the same way as prescribed by the Regulator.”
expect the Regulator to provide further guidance on this in due course.
NATIONAL DATA PROTECTION AUTHORITY
The Personal Data Protection Committee ( ) is in the process of being established to supervise compliance with the”Regulator”
PDPA, under the supervision of the Minister of Digital Economy and Society.
REGISTRATION
The PDPA does not require any registration of Data Controllers, Data Processors or data processing activities. This may change
when subordinate laws are enacted.
DATA PROTECTION OFFICERS
Data Controllers and Data Processors are only required to appoint a data protection officer (DPO) if it qualifies as any of the
following:
is a public authority as prescribed and announced by the Regulator;
requires regular monitoring of Personal Data or system due to the collection, use or disclosure of large amount of
Personal Data as prescribed by the Regulator; or
the core activity of the Data Controller or the Data Processor involves the collection, use, or disclosure of Sensitive
Personal Data.
According to the public hearing guidelines that have been issued, large amount of Personal Data refers to: (i) Personal Data of
>50,000 data subjects or Sensitive Personal Data of >5,000 data subjects within a 12 months period; (ii) a Data Controller or Data
Processor having more than 20 staffs dealing with the collection, use and disclosure of Personal Data; or (iii) a Data Controller or
Data Processor having more than 20 branches or places dealing with the collection, use and disclosure of Personal Data. Note that
the public hearing guidelines intend to only propose the potential direction the subordinate regulations are likely to take and are
not draft regulations which are binding.
COLLECTION & PROCESSING
Legal bases for collection and processing
The collection, use or disclosure of Personal Data requires consent of the data subject unless other legal bases for processing
apply. These include, among others things, the performance of contract or legal obligations, or by legitimate interest of the Data
Controller. The legal bases of processing Personal Data and Sensitive Personal Data are different. Due to the sensitive nature of
Sensitive Personal Data, explicit consent is required for its collection, use and disclosure without relying on the other legal bases
set out in the PDPA (such as vital interest, public health interest and preventive medicine where consent cannot be obtained). The
Regulator is expected to provide guidance on the scope of consent and exemptions once established.
The request for consent must be: (i) explicitly made in writing or via electronic means; (ii) clearly separated from other messages;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Thailand 1026 | | | www.dlapiperdataprotection.com
(iii) delivered in a format which is easily accessible and understandable using language that is easy to understand; and (iv) the
message should not be misleading or cause data subjects to misunderstand the purpose of collection. The Data Controller must
also ensure that the consent is freely given and not conditional on entering into a contract. The Regulator can “require the Data
However, inControllers to request consent from the data subject in accordance with the form and statement prescribed by the Committee”.
practice, requiring compliance through a prescribed form may prove challenging, given that Data Controllers may develop their
own mechanisms for gaining and assessing consent.
Data subjects have the right to refuse to consent, and the right to withdraw any consent they have given, at any time. Following
any such refusal or withdrawal of consent, Data Controllers should be wary of proceeding with the proposed data processing
activity.
Notice
Data Controllers must give notice to the data subjects that Personal Data or Sensitive Personal Data is being collected, prior to or
at the time of collection, regardless of whether consent or other legal bases of processing apply. The privacy notice must contain
particulars prescribed by the PDPA, including categories of persons or entities to whom the collected Personal Data may be
disclosed to and the purpose of collection.
TRANSFER
The Data Controller may not use or disclose Personal Data without consent unless it has been exempted from the consent
requirement (i.e. on the grounds of other legal bases of processing). The recipient of the Personal Data must not disclose the
Personal Data for any other purposes other than as previously notified to the Data Controller when requesting for the Personal
Data.
In the event that the Data Controller uses or discloses Personal Data which is exempt from the consent requirement (i.e. other
legal basis of processing), the Data Controller must maintain a record of such use or disclosure in the manner prescribed under
the PDPA, for example the record must be kept in a written or electronic format.
Processing between Data Controllers and Data Processors
As the Data Processor will be carrying out activities only pursuant to the instructions given by the Data Controller, the PDPA
imposes an obligation on the Data Controller to ensure that there is a data processing agreement in place between the Data
Controller and Data Processor governing the activities of the Data Processor.
Cross-Border Transfer
Personal Data may not be transferred outside of Thailand, unless the recipient country or international organisation has adequate
personal data protection standards in the Regulator’s view and the transfer is in accordance with the rules prescribed by the
Regulator. Exemptions may apply such as in the following cases:
the data subject has given consent and proper notification has been given by the Data Controller;
the transfer is necessary for the performance of a contract between the Data Controller and data subject; or
the transfer is necessary in order to protect the vital interests of the data subject.
Transfer between group companies may be exempt from the above requirement if the international transfer is to an organisation
within the same group/affiliated business and such transfer is for joint business operations. Nevertheless, the personal data
protection policy of such group companies must be approved by the Regulator.
The transfer requirements may have an impact on multinational organisations that routinely transfer data cross border. However,
given that many organisations in Europe will already comply with similar (and likely more stringent) data protection laws, the
impact of the PDPA may be limited regarding cross-border transfer of data.
SECURITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Thailand 1027 | | | www.dlapiperdataprotection.com
Under the PDPA, Data Controllers are required to have appropriate security measures to protect the stored Personal Data
against loss, misuse, alteration, edit or disclosure by means of unlawful access. Such security measures must be subject to periodic
review.
Nevertheless, whilst there is no penalty being enforced at this stage, all Data Controllers (and Data Processors) are now required
to have in place personal data security measures in accordance with the standard prescribed by the Ministry of Digital Economy
and Society set out under the Notification of the Ministry of Digital Economy and Society Re: Personal Data Security Standards
B.E. 2563 (2020) issued on 17 July 2020, and as amended on 24 May 2021, (” “).Notification
The Notification sets out minimum standards for the personal data security measures covering administrative safeguard measures,
technical safeguard measures, and physical safeguard measures in respect of the access to, or controlling the use of, Personal Data
(” “). Examples of Measures include access control of Personal Data, as well as the procurement of equipment used forMeasures
the collection; and processing of Personal Data needs to take into consideration usage, safety and security. User access
management protocols must be put in place to control and limit the access of Personal Data to only permitted personnel.
Data Controllers (and Data Processors) under the PDPA are also now required under the Notification to notify staff, employees
and/or any relevant persons of the Measures under this Notification in order to raise awareness of the importance of personal
data protection and encourage strict compliance.
BREACH NOTIFICATION
In the event of a data breach, Data Controllers must report the breach to the Regulator without undue delay, and in any event, if
feasible, within 72 hours of becoming aware of it. Data Controllers also have an obligation to notify the data subjects of the breach
and the remedial measures if the breach is likely to result in high risks to the rights and freedoms of individuals.
ENFORCEMENT
It is expected that, prior to 1 June 2022, the Regulator will issue guidelines to assist Data Controllers’ compliance plans. In the
meantime, to ensure compliance with the data protection law, public organisations and business operators should start to comply
with the PDPA by evaluating the level of data protection measures adopted by its organisation against the standards of the PDPA,
and ensure that the necessary documentation required by the PDPA are prepared.
There are three types of penalties under the PDPA – civil, criminal and administrative penalties. The amount of penalty will depend
on the offence committed. The maximum administrative fine is THB 5,000,000. Punitive damages may also be awarded by the
court but this is limited to twice the amount of actual compensation. In the event that the offender is a juristic person, the
director, manager or the responsible person may also be criminally liable under the PDPA if the relevant offence(s) resulted from
such person’s order, action or omission. It is unclear at this early stage what direction the Regulator will take in terms of actual
enforcement.
Data Processors who do not comply with their obligations are liable to an administrative fine under the PDPA. There may also be
liability under tort law.
ELECTRONIC MARKETING
Under the PDPA, data subjects have the right to object to direct marketing (whether or not electronic). Therefore, Data
Controllers must ensure that there is an opt-out function implemented throughout the entire processing period.
ONLINE PRIVACY
General rules of the PDPA apply to online privacy.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Thailand 1028 | | | www.dlapiperdataprotection.com
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Samata Masagee
Partner
T +66 2 686 8520
samata.masagee@dlapiper.com
Nahsinee Luengrattanakorn
Associate
T +66 2 686 8534
nahsinee.luengrattanakorn@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tonga 1029 | | | www.dlapiperdataprotection.com
TONGA
Last modified 15 February 2022
LAW
Based on English common law where not addressed by statute.
DEFINITIONS
Definition of Personal Data
None.
Definition of Sensitive Personal Data
None.
NATIONAL DATA PROTECTION AUTHORITY
None.
REGISTRATION
None.
DATA PROTECTION OFFICERS
None.
COLLECTION & PROCESSING
None.
TRANSFER
None.
SECURITY
None.
BREACH NOTIFICATION
None.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tonga 1030 | | | www.dlapiperdataprotection.com
ENFORCEMENT
None.
ELECTRONIC MARKETING
None.
ONLINE PRIVACY
None.
KEY CONTACTS
Stephenson Associates
www.stephensonassociates.to/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dana Stephenson
Principal
Stephenson Associates
info@stephensonassociates.to
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Trinidad and Tobago 1031 | | | www.dlapiperdataprotection.com
TRINIDAD AND TOBAGO
Last modified 24 January 2022
LAW
The Data Protection Act, 2011 (DPA) provides for the protection of personal privacy and information processed and collected by
public bodies and private organizations.
The DPA was partially enacted on January 6, 2012 by Legal Notice 2 of 2012, and only Part I and sections 7 to 18, 22, 23, 25(1), 26
and 28 of Part II have come into operation.
No timetable has been set for enacting the remainder of the DPA, and it is possible that there may be changes to the remainder of
the legislation before it is proclaimed.
DEFINITIONS
Definition of personal data
Personal information is defined as information about an identifiable individual that is recorded in any form including:
The name of the individual where it appears with other personal information relating to the individual or where the
disclosure of the name itself would reveal information about the individual
The address and telephone number of the individual
Any identifying number, symbol or other particular identifier designed to identify the individual
Information relating to the individual’s race, nationality or ethnic origin, religion, age or marital status
Information relating to the education or the medical, criminal or employment history of the individual, or information
relating to the financial transactions in which the individual has been involved or which refer to the individual
Correspondence sent to an establishment by the individual
Information that is explicitly or implicitly of a private or confidential nature, and any replies to such correspondence that
would reveal the contents of the original correspondence
The views and opinions of any other person about the individual
The fingerprints, DNA, blood type or other biometric characteristics of the individual
Definition of sensitive personal data
Sensitive personal information is defined as personal information on a person’s:
Racial or ethnic origins
Political affiliations or trade union membership
Religious beliefs or other beliefs of a similar nature
Physical or mental health or condition
Sexual orientation or sexual life
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Trinidad and Tobago 1032 | | | www.dlapiperdataprotection.com
Criminal or financial record
NATIONAL DATA PROTECTION AUTHORITY
The Office of the Information Commissioner is responsible for the oversight, interpretation and enforcement of the DPA. It has
broad authority, including to authorize the collection of personal information about an individual from third parties and to publish
guidelines regarding compliance with the Act.
REGISTRATION
There is no registration requirement under the DPA.
DATA PROTECTION OFFICERS
There is no such requirement under the DPA.
COLLECTION & PROCESSING
The knowledge and consent of the individual is required for the collection, use and disclosure of personal information. Collection
must be made in accordance with the purpose identified by the organization collecting the personal information.
Sensitive personal information may not be processed except as specifically permitted by law.
The DPA includes provisions that relate specifically to the collection and processing of personal information by public bodies and
private enterprises, however, these are not yet in force. Nevertheless, they are presented below.
Public Bodies
Part III of the DPA provides that a public body may collect and process personal data when the following conditions are met: the
collection of that information is expressly authorized by law and
The information is collected for the purpose of law enforcement
The information relates directly to and is necessary for an operating program or activity of the public body when the
collection of personal information is collected directly from the individual:
Another method of collection is authorized by the individual, Information Commissioner or law
The information is necessary for medical treatment
The information is required for determining the suitability of an award
The information is collected for judicial proceedings
The information is required for the collection of a debt or fine, or
It is required for law enforcement purposes
The individual is informed of the purpose for collecting his / her personal information; the legal authorization for collecting
it and contact details of the official or employee of the public body who can answer the individual’s questions about the
collection
Private Bodies
Part IV of the DPA provides that the collection and processing of personal information by private organizations must be in
accordance with certain Codes of Conduct (which are to be determined by the Office of the Information Commissioner in
consultation with the private sector) and the General Privacy Principles (which are currently in force).
Sensitive Information
Sensitive personal information may not be processed by public bodies and private organizations without the consent of the
individual unless:
It is necessary for the healthcare of the individual
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Trinidad and Tobago 1033 | | | www.dlapiperdataprotection.com
The individual has made the information public
It is for research or statistical analysis
It is by law enforcement
It is for the purpose of determining access to social services, or
As otherwise authorized by law
TRANSFER
Section 6(l) of the DPA provides that personal information may be transferred outside of Trinidad and Tobago only if the laws in
the recipient country povide safeguards for the personal information comparable to those provided by Trinidad and Tobago law.
In this regard, the Office of the Information Commissioner is required to publish a list of countries which have comparable
safeguards for personal information as provided by this Act in the Gazette and in at least two newspapers in daily circulation in
Trinidad and Tobago. Such list has not been published to date.
Sections 72(1) and (2) of the DPA (neither of which are in force as yet) provide that where a mandatory code is developed for
private bodies, at a minimum, it must require that personal information under the custody or control of a private organization not
be disclosed to a third party without the consent of the individual to whom it relates, subject to certain conditions. Where
personal information under the custody and control of an organization is to be disclosed to a party residing in another jurisdiction,
the organization must inform the individual to whom the information relates.
Section 6 of the DPA, which is in force, states that all persons who handle, store or process personal information belonging to
another person are subject to the following General Privacy Principles:
An organization shall be responsible for the personal information under its control.
The purpose for which personal information is collected shall be identified by the organization before or at the time of
collection.
Knowledge and consent of the individual are required for the collection, use or disclosure of personal information.
Collection of personal information shall be legally undertaken and be limited to what is necessary in accordance with the
purpose identified by the organization.
Personal information shall only be retained for as long as is necessary for the purpose collected and shall not be disclosed
for purposes other than the purpose of collection without the prior consent of the individual.
Personal information shall be accurate, complete and current, as is necessary for the purpose of collection.
Personal information is to be protected by such appropriate safeguards according to the sensitivity of the information.
Sensitive personal information is protected from processing except where specifically permitted by written law.
Organizations are to make available documents regarding their policies and practices related to the management of
personal information to individuals, except where otherwise provided by written law.
Organizations shall, at the request of the individual, disclose all documents relating to the existence, use and disclosure of
personal information, such that the individual can challenge the accuracy and completeness of the information, except
where otherwise provided by written law.
The individual has the ability to challenge the organization’s compliance with the above principles and receive timely and
appropriate engagement from the organization.
Personal information which is requested to be disclosed outside of Trinidad and Tobago shall be regulated and comparable
safeguards to those under this Act shall exist in the jurisdiction receiving the personal information.
SECURITY
The DPA generally requires that personal information is protected by appropriate safeguards based on the sensitivity of the
information. Sensitive personal information may not be processed except where permitted by law.
BREACH NOTIFICATION
There is no provision in the DPA for notifying data subjects or the Information Commissioner of a security breach.
ENFORCEMENT
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Trinidad and Tobago 1034 | | | www.dlapiperdataprotection.com
The Office of the Information Commissioner is responsible for monitoring the administration of this Act to ensure that its
purposes are achieved.
The Information Commissioner has several broad powers to conduct audits and investigations of compliance with the DPA.
Part V of the DPA (which is not in force) details the penalties for contraventions of the DPA and also makes further provisions for
the enforcement of the DPA.
ELECTRONIC MARKETING
The DPA has no specific provision regarding electronic marketing.
However, Section 58 of the Electronics Transaction Act (not yet in force) requires that anyone performing the following acts shall
provide the consumer with a clearly specified and easily activated option to opt out of receiving future communications:
Sending unsolicited commercial communications through electronic media to consumers in Trinidad and Tobago
Knowingly using an intermediary or a telecommunications service provider in Trinidad and Tobago to send unsolicited
commercial communications
Sending unsolicited electronic correspondence to consumers while having a place of business in Trinidad and Tobago
ONLINE PRIVACY
The DPA has no specific provision regarding online privacy.
KEY CONTACTS
M. Hamel Smith & Co.
www.trinidadlaw.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Jonathan Walker
Partner
T +1 868 821 5500 ext. 5625
jonathan@trinidadlaw.com
Fanta Punch
Partner
T +1 868 299 0981
fanta@trinidadlaw.com
https://www.dlapiperdataprotection.com
http://www.trinidadlaw.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tunisia 1035 | | | www.dlapiperdataprotection.com
TUNISIA
Last modified 20 December 2021
LAW
Law n° 2004-63 dated July 27, 2004, on the Protection of Personal Data, regulates personal data, but even before that, Tunisia was
already a pioneer in its region since 2002 in the field of personal data protection. This law was endorsed by the 2014
constitutional embodiment of the protection of privacy, which has placed this protection at the forefront of the rights and
freedoms to be guaranteed in the new Republic.
Additionally, articles 56, 61 and 75 of the Organic Law n° 2015-26 of August 7, 2015 on the Fight Against Terrorism and the
Prohibition of Money Laundering addresses the subject of personal data and when the use of personal data is permitted.
Tunisia became the 51st Member State of the Council of Europe Convention 108 on November 1, 2017.
In March 2018, it introduced a new draft law on the protection of personal data in line with the new European GDPR in
Parliament.
DEFINITIONS
Definition of personal data
Article 4 of Act n° 2004-63 of July 27, 2004 defined personal data as all information regardless of their origin or form and which
directly or indirectly allows to identify or make identifiable a natural person, with the exception of information related to public
life or considered as such by law.
Definition of sensitive personal data
Act n° 2004-63 of July 27, 2004 did not give a clear definition of sensitive personal data, but it listed some personal data the
processing of which is either prohibited, or would question the data subject’s prior consent or the national authority’s
authorization.
The processing of personal data is prohibited when involving criminal history and proceedings, criminal prosecution, penalties,
preventative measures or judicial history.
In addition, the processing of personal data which directly or indirectly concerns the following is also prohibited:
Racial or genetic origins
Religious beliefs
Political opinions
Philosophical or union activism, or
Health and scientific research
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tunisia 1036 | | | www.dlapiperdataprotection.com
NATIONAL DATA PROTECTION AUTHORITY
The National Authority for Protection of Personal Data (the Instance) was created by Decree n° 2007-3003 of November 27th,
2007.
REGISTRATION
Any processing of personal data shall be subject to a prior declaration filed at the headquarters of the National Authority for
Protection of Personal Data, or by any other means leaving a written record.
The declaration shall be made by the controller or his legal representative.
The declaration does not exempt third parties from liability.
The conditions and procedures for submitting the declaration shall be laid down by decree.
The Commission may object to the processing of personal data within one month from when the declaration is accepted.
(Article 7 of the 2004 Act).
DATA PROTECTION OFFICERS
Under Tunisian law, there is no reference to Data Protection Officers.
COLLECTION & PROCESSING
The following principles generally apply to the processing of personal data:
Personal data must be collected directly from the data subject.
Personal data collected from third parties are permitted whenever the data subject, his heirs or his agent have provided
their consent.
The processing of personal data must respect human dignity, privacy and public liberties.
The collecting of personal data shall be exclusively carried out for lawful and clear purposes.
Among the main prerequisites for the legitimate processing of personal data is the informed consent of the data subject, which
means that the processing of personal data cannot be carried out without the express and written consent of the data subject.
This consent shall be governed by the general rules of law if the data subject is incompetent or unauthorized or incompetent to
sign.
The data subject or his agent is allowed to withdraw his consent, at any time during the processing.
Additionally, and in the spirit of child protection, Tunisian law has provided extra protection to personal data relating to
children as this kind of data cannot be carried out without the consent of the child’s agent and after authorization of the juvenile
and family court judge.
Finally, the consent provided for the processing of personal data under a specific given shall not apply to other forms or purposes.
TRANSFER
The transfer of personal data is treated in the 5th Chapter of the 2004 Act on the protection of personal data (Articles 47 to 52),
and is generally prohibited or subject to strict measures, including prior authorization (submitted to the National Authority for
Protection of Personal Data), and the explicit consent of the person in question, which is mandatory. The transfer of personal data
to a foreign country is prohibited whenever it may endanger public security or Tunisia’s vital interests.
The international transfer of personal data may not take occur if the foreign country does not provide an adequate level
of protection. In every case, the authorization of the Instance is required before the transfer of personal data. The Instance shall
issue its decision within one month from the date of receipt of the application.
SECURITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tunisia 1037 | | | www.dlapiperdataprotection.com
The National Authority for Protection of Personal Data is responsible for determining the proper measures and necessary
safeguards in order to protect personal data.
BREACH NOTIFICATION
Under Tunisian Law, it is up to the person in question to make this kind of notification, or to its heirs and agents in certain
circumstances.
Mandatory breach notification
The public prosecutor in the jurisdiction where the investigation takes place shall be informed by The National Authority for
Protection of Personal Data of any offenses that it has detected.
ENFORCEMENT
The National Authority for Protection of Personal Data is legally mandated to ensure compliance with the provisions of the Law,
but there is no information about cases where sanctions were applied to personal data infringements.
A draft bill on personal data is currently being considered by the Parliamentary Committee on Rights and Freedoms in the
Tunisian Parliament, which revolutionizes the existing Law, and when adopted, will be in correspond to the European standards
for Data Protection.
ELECTRONIC MARKETING
Electronic Marketing is regulated under Tunisian Law by The Electronic Exchanges and Electronic Commerce Law n° 2000-83
enacted on August 9, 2000.
This law is quite comprehensive and regulates the main aspects of this field. For instance:
The preservation of the electronic document is as important as the preservation of the written document
Each person using an electronic signature device shall:
Take minimum precautions to avoid illegitimate use of encryption elements or personal signature equipment
Inform the electronic certification service provider of any fraudulent use of his electronic signature
ONLINE PRIVACY
There is no specific mention to online privacy under the 2004 law on the Protection of Personal Data.
However, the same safeguards including restrictions and sanctions apply as well to online privacy under Tunisian Law.
Furthermore, it is prohibited to use the processing of personal data for promotional purposes unless the data subject, his heirs or
his tutor gives his explicit and specific consent.
KEY CONTACTS
DATA PRIVACY TOOL
Mohamed Lotfi El Ajeri
Managing Partner
Al Ajeri Lawyers
T +(216) 71 288 251 – 71 287 238
mlelajeri@eal.tn
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Tunisia 1038 | | | www.dlapiperdataprotection.com
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Turkey 1039 | | | www.dlapiperdataprotection.com
TURKEY
Last modified 13 January 2022
LAW
The main piece of legislation covering data protection in Turkey is the Law on the Protection of Personal Data No. 6698 dated
April 7, 2016 (LPPD). The LPPD is primarily based on EU Directive 95/46/EC.
To date, the legislature has enacted several regulations to implement various aspects of the LPPD. The notable ones are
mentioned below:
Regulation on the Erasure, Destruction and Anonymizing of Personal Data (published in the Official Gazette dated
October 28, 2017, numbered 30224)
Regulation on the Working Procedures and Principles of Personal Data Protection Board (published in the Official Gazette
dated November 16, 2017, numbered 30242)
Regulation on the Registry of Data Controllers (published in the Official Gazette dated December 30, 2017, numbered
30286)
Regulation on the Organization of Personal Data Protection Authority (published in the Official Gazette dated April 26,
2018, numbered 30403)
The Communiqué on Procedures and Principles for Compliance with the Obligation to Inform (published in the Official
Gazette dated March 10, 2018, numbered 30356)
The Decision of Data Protection Board, dated January 31, 2018, numbered 2018/10 on Adequate Measures to be taken by
Data Controllers in Processing the Special Categories of Personal Data
Certain general laws such as the Turkish Criminal Code no. 5237 and sector specific laws such as Electronic Communications Law
No. 5809 also touch upon data protection and are mentioned below when relevant.
DEFINITIONS
Definition of personal data
In the LLPD, personal data is defined as “Any information relating to an identified or identifiable natural person.”
Definition of sensitive personal data
Sensitive personal data (Special Categories of Personal Data under the LPPD) is defined as “personal data relating to race, ethnic
origin, political opinions, philosophical beliefs, religion, sect or other beliefs, clothing, membership of associations, foundations or
trade unions, information related to health, sex life, previous criminal convictions and security measures, and biometric and genetic
data.”
NATIONAL DATA PROTECTION AUTHORITY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Turkey 1040 | | | www.dlapiperdataprotection.com
The national data protection authority is the (Personal Data Protection Authority). The Personal DataKiisel Verileri Koruma Kurumu
Protection Authority’s decision-making body is (Personal Data Protection Board). The organizationalKiisel Verileri Koruma Kurulu
structure of the Authority and the duties and powers of its bodies are regulated under the Regulation on the Organization of
Personal Data Protection Authority and the Regulation on the Working Procedures and Principles of Personal Data Protection
Board.
Kiisel Verileri Koruma Kurumu
Nasuh Akar Mah. Ziyabey Cad. 1407. Sok. No: 4
06520 Balgat-Çankaya/Ankara
T +90 312 216 5050
http://www.kvkk.gov.tr
REGISTRATION
Pursuant to the LPPD and the Regulation on the Registry of Data Controllers, data controllers are required to enroll in the
Registry of Data Controllers before proceeding with data processing.
The Regulation on the Registry of Data Controllers was published in the Official Gazette dated December 30, 2017, and entered
into force on January 1, 2018. It regulates the establishment of a publicly accessible registry, which is to be held by the Personal
Data Protection Authority and the procedures and principles concerning enrollment in the registry.
Under this Regulation, all data controllers are required to enroll in the Registry of Data Controllers before proceeding with data
processing. However, the Personal Data Protection Board may bring an exception to the obligation of enrollment by taking into
account the nature and number of personal data, purpose of processing personal data, and other objective criteria. Data
controllers are not required to enroll in the Registry of Data Controllers in the following circumstances:
The processing of personal data is required for criminal investigation or for prevention of a criminal offense
If the personal data being processed is already publicized by the data subject
If, based on the authority given by Law, personal data processing is required for disciplinary investigation or prosecution
and execution of the supervision or regulation duties to be conducted by public institutions and organizations and
professional organizations with public institution status or
If processing of personal data is required to protect the economic and financial interests of the State in relation to budget,
tax and financial matters
Over the past year, the Personal Data Protection Board has enumerated additional exceptions to enrollment obligation:
Data controllers who process personal data by non-automatic means as a part of a filing system, lawyers, independent
accountants and financial advisors
Natural or legal persons having less than 50 employees per annum and annual balance less than 25 million Liras and whose
main field of activity is not processing special categories of personal data.
Data controllers who are non-resident in Turkey shall enroll in the registry through a representative they assign in Turkey. Legal
persons in Turkey or Turkish citizens may be assigned as representatives for this purpose.
In addition, both legal entities resident in Turkey and the above-mentioned representatives of non-resident data controllers shall,
as part of the enrollment procedure, appoint an individual to act as “contact person” for both the Personal Data Protection
Authority and for data subjects.
Operations related to the Registry of Data Controllers shall be carried out through VERBIS (Data Controllers Registry
Information System) by data controllers. The Personal Data Protection Authority, with its decision dated March 11, 2021,
numbered 2021/238, extended the dates for the registration through VERBIS for four categories of data controllers.
https://www.dlapiperdataprotection.com
http://www.kvkk.gov.tr
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Turkey 1041 | | | www.dlapiperdataprotection.com
Data Controllers
Commencement Date of
Registration
Due Date
Any data controller who has more than 50
employees or whose total annual balance is more
than TL 25,000,000
October 1, 2018 December 31, 2021
Non-resident (foreign) data controllers October 1, 2018 December 31,2021
Any data controller who has less than 50
employees and whose total annual balance is less
than TL 25,000,000, but who process sensitive
personal data as their main activity
January 1, 2019 December 31, 2021
Public institutions and organizations April 1, 2019 December 31, 2021
Administrative fines of between TRY 39.337 – TRY 1.966.862 (approx. € 2388 – € 119.408) may be imposed on data controllers
breaching obligations regarding the Registry of Data Controllers. For 2022, these amounts will be increased to be between TRY
53.576 – TRY 2.678.866 (approx. € 3252 – € 162.633).
Further, the DPA has the right to restrict the data processing activities of a data controller in cases of clear unlawfulness operation
by a data controller and in theory, processing personal data without registering with the Registry of Data Controllers may lead to
such restriction.
DATA PROTECTION OFFICERS
There is not yet a requirement in Turkey to appoint a data protection officer in the sense of GDPR.
COLLECTION & PROCESSING
Pursuant to the LPPD, it is mandatory to comply with certain principles while collecting and processing personal data. In light of
such principles collected personal data must be all of the following:
Processed fairly and lawfully
Accurate and up-to-date
Processed for specific, explicit and legitimate purposes
Relevant, adequate and not excessive
Kept for a term necessary for purposes or for a term prescribed in relevant laws for which the data have been processed
Further, in principle, personal data cannot be processed without being collected and processed with explicit consent of the data
subject. However, the LPPD stipulates certain exceptions where consent is not required. These are:
Processing is expressly permitted by law
Processing is necessary for protection of the life or physical integrity of the data subject or a third party, where the data
subject is not physically or legally capable of giving consent
Processing personal data of the contractual parties is necessary for the conclusion or the performance of a contract
Processing is mandatory for the data controller to perform his / her legal obligation(s)
Personal data has been made public by the data subject
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Turkey 1042 | | | www.dlapiperdataprotection.com
Processing is necessary in order to assign, use or protect a right
Processing is necessary for the legitimate interests of data processor and this does not damage the rights of the data
subject
Pursuant to Article 10 of the LPPD, data controllers or their authorized persons have an obligation to inform data subjects during
the collection of the personal data. The Communiqué on Procedures and Principles for Compliance with the Obligation to Inform
published in the Official Gazette dated March 10, 2018, numbered 30356 sets forth the principles and procedures on the
obligation to inform. As part of the collection of data from the data subject the controller is obliged to provide the data subject
with the following information:
Identity of the controller and of its representative, if any
Purposes of the processing for which the data is intended
Recipients of the data and the reasons for transfer
Process of collecting data and the legal grounds
Rights of the data subject
Where the data has not been obtained from the data subject, the controller shall provide the data subject with the above stated
information as well as details of the categories of data concerned. According to the relevant Communiqué, the obligation to
inform should be fulfilled within a reasonable time after collecting the personal data, or during the first contact if the personal data
is obtained for communication purposes with the relevant persons, or at the very latest the time of the initial transfer if the
personal data is to be transferred.
Processing of sensitive personal data without explicit consent of the data subject is generally forbidden, although sensitive data
other than health and sexual life data can be processed without explicit consent of data subject if a law / legislation permits such
processing. Under the LPPD, data controllers need to take adequate measures required for the processing of sensitive personal
data and comply with the decisions and guides of the Personal Data Protection Board designating such adequate measures. See also
Personal Data Protection Board Decision dated January 31, 2018, numbered 2018/10 on Adequate Measures to be taken by Data
Controllers in Processing the Special Categories of Personal Data.
Health data and sexual life data can only be processed by natural persons who are under an oath of secrecy or by authorities for
the purposes of protecting public health, preventive medicine, medical diagnosis, the provision of care and treatment services or
planning, and the management and financing of healthcare services.
Deletion, destruction or anonymization of personal data
The Regulation on Deletion, Destruction or Anonymization of Personal Data (“Regulation on Deletion of Personal Data”) was
published in the Official Gazette dated October 28, 2017, and entered into force on January 1, 2018. This Regulation is crucially
important for data controllers in terms of time limitations regarding deletion, destruction or anonymization of personal data.
Pursuant to the Regulation on Deletion of Personal Data, data controllers are required to prepare a personal data processing
inventory and a personal data storage and destruction policy (Policy). Data controllers are also required to take measures to
safeguard the data that they are processing, identify persons working in personal data storage and destruction processes,
categorize personal data, store and destroy these data, and determine periodic destruction processes.
If the prerequisites for processing personal data provided under LPPD are not met, then the personal data must be deleted,
destroyed or anonymized by the data controller (of its own accord or upon the application of related person). All actions related
to the execution of this process must be recorded and these records shall be kept for at least three years.
In addition, if a data controller ceases to continue to meet the above conditions for processing personal data, then they must carry
out a process of periodic destruction. Periodic destruction is the deletion, destruction or anonymization of personal data at
recurring intervals specified in the relevant data controller’s Policy. This period cannot exceed six months.
TRANSFER
The LPPD distinguishes between the transfer of personal data to third parties in Turkey and the transfer of personal data to third
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Turkey 1043 | | | www.dlapiperdataprotection.com
countries.
Transfer of personal data to third parties
In principle, personal data can be transferred to third parties with the explicit consent of the data subject. The conditions and
exemptions applied to collection and processing of personal data also apply to the transfer of personal data to third parties.
Transfer of personal data to parties in third countries
In addition to the conditions and exemptions applied to the transfer of personal data to third parties, one of the following
conditions shall exist for transfer of data to parties in third countries:
The country to which personal data will be sent shall have sufficient level of protection;
The data controllers in Turkey and in the target country shall undertake protection in writing and obtain the Personal
Data Protection Board’s permission; and
Data controller shall sign BCRs published by the Personal Data Protection Board and obtain the approval of the Personal
Data Protection Board.
The Personal Data Protection Board shall declare the countries having adequate level of protection. So far, the Personal Data
Protection Board has not announced any country as adequate. However, the Personal Data Protection Board has announced the
minimum clauses to be found in the undertakings of data controllers by setting out examples of undertaking where there is not an
adequate level of protection in the country where personal data is transferred.
SECURITY
In light of the provisions of the LPPD and consistent with the principles of good faith, those entrusted with personal data are
expected to ensure protection of such data. Under the LPPD, the data controller is required to ensure that appropriate technical
and organizational measures are taken to prevent all illegal processing and to ensure the data is not destroyed, lost, amended,
disclosed or transferred without authority. Such measures must ensure an appropriate level of security, taking into account the
state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data
to be protected. Additionally, the data controller has to carry out the necessary inspections on its own institution or organization
in order to ensure the implementation of the LPPD.
Data controllers and data processors shall not disclose any personal data in contradiction with the provisions of LPPD and shall
not use any personal data for any purposes except for the purpose of processing. This obligation continues after leaving their
institution.
In addition, the LPPD enables data subjects to apply to data controllers by various means in relation to their rights stated in Article
11. Data controllers have an obligation to take every necessary administrative and technical measure effectively to finalize these
applications in accordance with the LPPD and in good faith. The Communiqué on Procedures and Principles for Application to
Data Controller dated March 10, 2018, numbered 30356 outlines the procedures of application.
BREACH NOTIFICATION
Under the DPL, controllers must notify the data subject and the Data Protection Authority in case of a data breach. The Data
Protection Authority reserves the right to inform the public about the breach if it deems necessary.
While there is no specific time frame stipulated in the DPL, with the decision numbered 2019/10, which was published on
February 15 2019, the Data Protection Authority stipulated the procedure for breach notifications, which can be .found online
Notification to the Data Protection Authority
Pursuant to Decision 2019/10, data controllers are required to notify the Data Protection Authority within 72 hours of becoming
aware of a breach.
In cases where the notification cannot be sent within 72 hours, the causes for the delay must be sent as well.
https://www.dlapiperdataprotection.com
https://www.kvkk.gov.tr/Icerik/5362/Veri-Ihlali-Bildirimi
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Turkey 1044 | | | www.dlapiperdataprotection.com
Further, with the Decision 2019/10, the Data Protection Authority published the which can be Data Breach Notification Form,
.accessed here
For all data breach notifications sent to the Data Protection Authority, the Data Breach Notification Form must be used. If it is
not possible to fill out all of the information in the Data Breach Notification Form, a partially filled form may be sent to the Data
Protection Authority. Therefore, gradual breach notification is possible.
The data breach notification sent to the Data Protection Authority can be sent via e-mail by sending the Data Breach Notification
Form to with the subject or via the Data Protection Authority’s module at ihlalbildirimi@kvkk.gov.tr “Kiisel veri ihlali bildirimi”
.https://ihlalbildirim.kvkk.gov.tr/
Alternatively, the form can be sent by post to the Data Protection Authority’s address.
Notification to Data Subjects
There is no clear time frame stipulated for notification to data subjects. The DPL and the Decision 2019/10 require the data
subjects to be notified . Notifications can be sent to data subjects directly if the data controller has their“as soon as possible”
contact information. If not, any other appropriate way can be used, such as announcing the breach in data controller’s website.
Other requirements
Pursuant to Decision 2019/10, data controllers are required to prepare a ” which should specify who,“Data Breach Response Plan
within the organization, should be contacted in the event of a data breach. This person will be the primary person responsible for
assessing the consequences of such a breach.
Further, there is a requirement to retain the records regarding (i) information on the data security breach, (ii) impacts of the
breach, and (iii) measures taken, and to make these available for a possible assessment by the DPA.
ENFORCEMENT
Under the DPL, for the year 2022, the Board may apply administrative fines up to TRY 2.678.866 for each incident. The following
administrative fines apply for non-compliance with the data protection laws:
Non-compliance with the information notice requirements: a fine between TRY 13.393 to TRY 267.886 (approx. € 813 to
16.263);
Non-compliance with the data security obligations a fine between TRY 40.183 to TRY 2.678.866 (approx. € 2439 to €
162.633);
Non-compliance with Data Protection Authority orders/decisions: a fine between TRY 66.972 to TRY 2.678.866 (approx.
€ 4065 to 162.633); and
Non-compliance with the Data Controllers’ Registry requirements: a fine between TRY 53.576 to TRY 2.678.866 (approx.
€ 3252 to 162.633).
Further, under the Turkish Criminal Code, the following acts are subject to imprisonment:
Persons who illegally collect personal data may be subject to imprisonment for a term of between one and three years. If
the personal data is sensitive personal data, the offender may be subject to imprisonment for a term of between one and a
half years to four and a half years.
Persons who illegally transfer personal data or make personal data available to the public may be subject to imprisonment
for a term of between two and four years.
If any of the above criminal acts are committed by using the advantage or ease of a specific profession, or by a public
officer using the authority given to him/her, the sanctions will be increased by 50%.
Those responsible for the deletion of data following the expiry of the retention period, and who fail to do so, can be
subject to imprisonment for a term of between one and two years.
ELECTRONIC MARKETING
https://www.dlapiperdataprotection.com
https://www.kvkk.gov.tr/SharedFolderServer/CMSFiles/617f166c-24e1-42b5-a9cb-d756d6443af9
https://ihlalbildirim.kvkk.gov.tr/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Turkey 1045 | | | www.dlapiperdataprotection.com
The Law on Regulation of Electronic Trade was published in the Official Gazette on November 5, 2014 (Electronic Trade Law).
The Electronic Trade Law came into force on May 1, 2015. Secondary legislation (The Regulation on Electronic Trade) was
published in the Official Gazette on August 26, 2015, and came into force on the same date.
Pursuant to the Electronic Trade Law, commercial electronic communications (electronic marketing) can only be sent by if prior
consent (opt-in) has been obtained from recipients. Such consent may be obtained in writing or through means of electronic
communication, although if the consent is taken in physical from, must contain the recipient’s signature. Commercial electronic
communications can be sent to craftsman and merchants without obtaining prior consent. The commercial electronic
communication must comply with the consent obtained from recipients, and must contain the identity of the service provider,
contact information (such as email, SMS, telephone number, fax number (depending on the type of commercial electronic
communication)), and, if sent on behalf of a third party, information about that third party.
Pursuant to Regulation on Commercial Communication and Commercial Electronic Messages, a registry named Message
Management System (“IYS”) is established on January 4, 2020. Pursuant to the Regulation, all entities that wish to send commercial
electronic messages (SMS, E-mail or calls) must register with IYS.
Commercial electronic messages are defined as “messages sent to electronic communication addresses (including audio calls) of
recipients, for the purpose of promoting or advertising a product, service or business, and/or to increase the reputation of such
through content including a greeting or a wish”.
The deadline for the service providers with 150.000 or more collected opt-ins to register with the IYS was December 31, 2020.
The deadline for the service providers with 149.999 or less collected opt-ins is 31.05.2021.
Failure to register the collected opt-ins to IYS will result in all opt-ins consents to be invalid.
As of registration, opt-in consents can be obtained in writing or in any other electronic medium via IYS. It is required to report
opt-in consents (which were not obtained via IYS) to IYS within 3 business days as of obtaining. All opt-in consents which were
not reported to IYS will be deemed invalid.
Also, recipients will be able to submit their opt-out requests via IYS. Opt-out requests (which are not received via IYS) must be
reported to IYS within three (3) business days. Sending commercial electronic messages must be stopped within three (3) business
days as of receiving the opt-out request of the recipient.
Please note that obtaining opt-in consent is not necessary for commercial electronic messages if it is sent to merchants and
craftsmen. However, they should also be registered with IYS and, it required to be checked whether they exercise their right to
opt-out.
Consumers have the right to refuse a commercial electronic communication, and the service provider is obliged to allow the free
transmission of the refusal. Commercial electronic communications to the recipient must cease within three business days of the
receipt of refusal. For 2022, non-compliance with opt-in requirements is subject to administrative fines up to TRY 14.138 (approx.
€ 857).
Since electronic marketing activities include more and more use of personal data, the Electronic Trade Law and the LPPD often
may be implicated at the same time. The Personal Data Protection Board Decision dated October 16, 2018 numbered 2018/119
states that commercial electronic communications such as advertisement notifications and marketing telephone calls also fall within
the scope of the LPPD. However, this decision raised some questions regarding the application and enforcement of the Electronic
Trade Law and LPPD at the same time, especially in relation to fines which may be imposed twice both according to the LPPD and
the Electronic Trade Law.
ONLINE PRIVACY
There is no legislation in Turkey that specifically regulates privacy in respect of cookies and location data. However, Law No. 5651
on Regulating Broadcasting in the Internet and Fighting against Crimes Committed through Internet Broadcasting enables Internet
users to initiate prosecution in case of infringements of their personal rights. Further, various amendments were made to the Law
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Turkey 1046 | | | www.dlapiperdataprotection.com
No. 5651 on July 31, 2020. One of these amendments was adding the term and the obligations of the“social network provider”
social network providers have been regulated within this scope.
Social network provider is defined as “a natural or legal person who enables users to create, view, or share texts, images, voice, location,
or other types of data for the purpose of social interaction.”
The amendment requires foreign social network providers (companies that are not established in Turkey) which have daily access
of 1.000.000 or more from Turkey to appoint a representative in Turkey. Also, the foreign social network providers must keep
Turkish users’ (users from Turkey) personal data in Turkey within the scope of the Internet Law.
Failure to meet these requirements may result in administrative fines, limitation of bandwith, and restriction of commercial
activities (online marketing) of the social network provider.
Under the Regulation on Protection of Personal Data in the Electronic Communications Sector and Preservation of Privacy, an
Operator cannot process traffic data for purposes other than those required for the purposes of their service. Traffic data shall be
processed in accordance with the provisions of the relevant legislation for the purposes of traffic management, interconnection,
billing, corruption detection and similar transactions or settlement of disputes. The processed and stored traffic data belonging to
the subscriber / user shall be deleted or made anonymous after the completion of the required activity to process and store these
data.
Traffic data may be processed if required for marketing electronic communication services or providing value added electronic
communication services, provided that either it is anonymized, or relevant subscribers / users give their consent after being
informed of the traffic data to be processed and the processing time.
Location data not qualifying as traffic data may be processed if required to provide value added electronic communication services,
on the condition that it is anonymized or the relevant subscribers / users give their consent after being informed of the location
data to be processed and of the purpose and duration of the processing.
Administrative fines of up to three percent of the net sales of the Operator in the previous calendar year shall be imposed if it fails
to fulfill its obligation to process traffic data and location data.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Burak Özdağıstanli
Partner
T +90 216 230 07 48
bozdagistanli@iptech-legal.com
Hatice Ekici Tağa
Partner
T +90 216 230 07 48
hekici@iptech-legal.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Turkmenistan 1047 | | | www.dlapiperdataprotection.com
TURKMENISTAN
Last modified 25 January 2021
LAW
The Law of Turkmenistan No.519-V ‘On Information about Private Life and its Protection’ (the ‘Data Protection Law’) is the main
and only law governing matters relating to collection and processing of personal data in Turkmenistan.
The Data Protection Law was enacted on 20 March 2017, ie after the adoption of the General Data Protection Regulation (the
‘GDPR’) and entered into force on 1 July 2017. In fact, the Data Protection Law partly reflects the rules and principles perpetuated
in the GDPR. However, the similarities that can be discovered between the Data Protection Law and the GDPR are few and in
most cases the Data Protection Law implements the simplified approach suggested by the GDPR.
DEFINITIONS
Article 1 of the Data Protection Law defines the term ‘personal data’ as ‘any kind of information, which relates to a certain
individual, which is recorded on an electronic, paper or other medium’. In terms of accessibility, personal data can be divided into
two types: public (such as telephone directory, social media, etc) and restricted. Publicly available personal data includes
information, which is either freely accessible upon consent of the individual (owner of personal data) or exempted from
confidentiality in accordance with the laws of Turkmenistan.
The Data Protection Law additionally introduces a term ‘biometric data’ that encompasses any information that reflects physical
and biological characteristics of an individual (owner of personal data). The term is somewhat similar to the term ‘biometric data’
that is envisaged in the GDPR (Article 4(14)) but does not include any reference to physiological and behavioural characteristics.
Both personal data and biometric data are recognized as confidential under the Data Protection Law and collection and processing
of such data must be limited to the purposes the data is collected for.
In Turkmenistan the Data Protection Law does not provide for a definition of sensitive personal data. It is directly prohibited to
collect specific categories of personal data which, inter alia, includes data on nationality, skin colour, religious and political views,
medical conditions, etc. Collection of such categories of personal data is permissible under the following circumstances:
Receipt of a written consent of owner of personal information
Such personal data is publicly available
Collection of personal data is required for healthcare and health protection of an owner of such personal data
Collection of personal data is performed by religious or non-commercial organization provided that the collected data
would not be distributed without a prior written consent of owner of personal data
Collection of personal data is required for implementation of justice and / or investigative activity
NATIONAL DATA PROTECTION AUTHORITY
There is no special national authority in the field of data protection policy.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Turkmenistan 1048 | | | www.dlapiperdataprotection.com
REGISTRATION
No registration of a personal data database is required under the Data Protection Law.
DATA PROTECTION OFFICERS
No appointment of a data protection officer is required under the Data Protection Law.
COLLECTION & PROCESSING
Owner of personal data shall give consent on collection and processing of its personal data. Such consent can be delivered in
written or electronic form or by virtue of any other secured means in compliance with Turkmen law.
Any such consent shall include the following information:
Name (surname, name), address, ID document of an owner of personal data
Name (surname, name) and the address of the data operator
Purpose of collecting and processing personal data
List of personal data to be collected and processed by the data operator
List of actions related to personal data for the purpose of which the consent is given, a general description of the methods
used to collect and process personal data
Term of the given consent, as well as the procedure for its withdrawal
No consent is required for collection and processing of personal data for the following purposes:
Investigatory activity
Statistical analysis
Life and health protection, protection of constitutional rights
Implementation of international agreements of Turkmenistan, etc
TRANSFER
For the purposes of cross-border transfers of personal data, the relevant consent of owner of personal data is required. Since the
Data Protection Law does not stipulate on whether this should be a separate consent, it is recommended to obtain such consent
together with a general consent on collection and processing of personal data.
Please note that personal data transferred outside Turkmenistan shall also be stored in the territory of Turkmenistan. Personal
data processed for the purpose of statistical and/or scientific analysis shall be de-personalized.
Data operator is not allowed to transfer personal data outside Turkmenistan to a third party by virtue of a contract on collection
and/or processing of personal data.
SECURITY
Article 23 of the Data Protection Law stipulates that data operators shall implement a set of legal, organizational and technical
measures to ensure personal data protection. Such measures shall:
Uphold the rights to privacy, personal and family secrets
Ensure integrity and security of personal data
Confidentiality of personal data
Allow owner of personal data to have guaranteed access to such personal data
Prevent unauthorised collection and processing of personal data
Data operators are statutorily obliged to take any necessary and lawful measures to protect personal data and ensure:
Prevention of unauthorized access to personal data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Turkmenistan 1049 | | | www.dlapiperdataprotection.com
Timely detection of unauthorized access to personal information
No adverse effects of such unauthorized access to personal data
It is important to note that the obligation of the data operators, as well as any third party acquiring the personal data, to protect
confidentiality of the acquired personal data, arises from the moment such data is collected and shall be effective until the moment
such data is destroyed or depersonalized.
BREACH NOTIFICATION
Data Protection Law does not provide for any provisions regarding breach notification requirements. In other words, data
operators are not obliged to notify the owners of personal data regarding any identified or potential confidentiality breach.
However, the Data Protection Law envisages that data operators are obliged to block any personal data within one working day, if
there is risk that a breach occurred.
ENFORCEMENT
General enforcement of the Data Protection Law is performed by the General Prosecutor’s Office. However, any suffered party
may file a suit directly to a court.
ELECTRONIC MARKETING
Article 5(8) of the Law of Turkmenistan ‘On Advertising’ prohibits distribution of any information protected by the law (including
personal data) for advertising purposes.
ONLINE PRIVACY
Data Protection Law provisions apply to online privacy as well. There are no other specific regulations that govern online privacy
in Turkmenistan. Data operator shall refer to rules and regulations specified in the Data Protection Law.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Kamilla Khamraeva
Associate
Centil Law Firm
T +998 71 120 4778
kamilla.k@centil.law
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Abu Dhabi Global Market Free Zone 1050 | | | www.dlapiperdataprotection.com
1.
2.
3.
4.
5.
6.
7.
8.
UAE – ABU DHABI GLOBAL MARKET FREE ZONE
Last modified 5 January 2022
LAW
Note: Please also see , , .UAE – General UAE – DIFC UAE – DHCC
Following a period of public consultation, on 14 February 2021 the Abu Dhabi Global Market (” “) issued the ADGM DataADGM
Protection Regulations 2021 (” “). The DPR replace the ADGM Data Protection Regulations 2015 (as amended). NewDPR
establishments were give a six month window to adjust their compliance, whilst existing organisations were given 12 months, the
DPR becoming fully enforceable from 14 February 2022.
An important feature of the new framework is the establishment of an independent Office of Data Protection, headed by a
Commissioner of Data Protection.
In order to assist businesses in understanding the requirements DPR, and how those should be applied to their activities, in August
2021 the Office of Data Protection issued a suite of eight guidance documents which cover the following topics:
General overview;
Data subject rights
Data protection by design and default, fees, record of Processing activities (“ ”), data protection officers (“ ”)ROPA DPOs
and Processor obligations;
Data protection impact assessments (“ ”);DPIAs
Security of Processing and data breaches;
International transfers;
Codes of conduct and the role of the Commissioner of Data Protection and the Office of Data Protection; and
Individual Rights and Remedies.
DEFINITIONS
Definition of Controller
The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes
and means of the Processing of Personal Data.
Definition of Processor
A natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
Definition of Data Subject
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/uae-general/law.html
https://www.dlapiperdataprotection.com/countries/uae-dubai-difc/law.html
https://www.dlapiperdataprotection.com/countries/uae-dubai-health-care-city-free-zone/law.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Abu Dhabi Global Market Free Zone 1051 | | | www.dlapiperdataprotection.com
An identified or identifiable living natural person; an identifiable natural person is one who can be identified, directly or indirectly,
in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or
more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Definition of Personal Data
Any information relating to a Data Subject.
Definition of Personal Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
Personal Data transmitted, stored or otherwise Processed.
Definition of Processing
Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by
automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation,
use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or
destruction.
Definition of Special Categories of Personal Data
Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
Genetic Data, Biometric Data for the purpose of uniquely identifying a natural person, Data Concerning Health or data
concerning a natural person’s sex life or sexual orientation; and
Personal Data relating to criminal convictions and offences or related security measures.
NATIONAL DATA PROTECTION AUTHORITY
The Commissioner of Data Protection performs his functions with the support of the Office of Data Protection. Those functions
include the following:
exercising investigative powers, where necessary;
monitoring and enforcing the application DPR;
promote public awareness and understanding of the risks, rules, safeguards and rights in relation to Processing;
advising and issuing opinions to the ADGM Board of Directors, Registration Authority, Financial Services Regulatory
Authority, ADGM Courts, and other institutions and bodies on legislative and administrative measures relating to the
protection individuals rights with regard to the Processing of Personal Data;
promoting the awareness of Controllers and Processors of their obligations under the DPR. The Commissioner may also
engage in outreach programmes to raise awareness and increase understanding DPR;
providing the public with opportunities to provide views on the activities of the Office of Data Protection;
handling complaints lodged by individuals, and investigating, to the extent appropriate, the complaint and informing the
complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further
investigation is necessary;
cooperating with, including sharing information and provide mutual assistance to, other data protection authorities with a
view to facilitating the effective enforcement of legislation for the protection of Personal Data worldwide;
monitoring relevant developments insofar as they have an impact on the protection of Personal Data, in particular the
development of information and communication technologies and business practices;
adopting standard contractual clauses (as per Sections 26(6) and 42(2) DPR);
publishing and maintaining a list as to the types of Processing operations which typically require a DPIA (as per Section
34(4) DPR);
approving codes of conduct and certification criteria (as per Sections 38(1) and 39(1) DPR);
authorising contractual clauses and provisions referred to in Section 42(4) DPR;
approving binding corporate rules pursuant to Section 43 DPR;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Abu Dhabi Global Market Free Zone 1052 | | | www.dlapiperdataprotection.com
issuing guidance and publishing standard forms (e.g. The DPIA template it has published);
keeping records of non-compliance by those entities caught by the DPR, as well as any measures taken as a result of such
non-compliance; and
collecting data protection fees and renewal fees.
The contact details for the Office of Data Protection are as follows:
The Office of Data Protection
Authorities Building
ADGM Square
Al Maryah Island
Abu Dhabi
UAE
Data.Protection@adgm.com
There is also a “Contact Us” form available on the Office for Data Protection’s website.
REGISTRATION
Data protection fee
Section 24 DPR requires Controllers to pay a data protection fee to the Commissioner of Data Protection before, or as soon as
reasonably practicable after, they start Processing Personal Data under the DPR.
It is also necessary to provide the Commissioner of Data Protection with:
name and address (which, in the case of a registered company, will be its registered office); and
Data Controllers must also establish and maintain records of any Personal Data Processing operations or set of such
operations intended to secure a single purpose or several related purposes.
It is important to note that all licensed persons in the ADGM would have already provided the necessary information to the
Commissioner of Data Protection during the company incorporation and registration Process. The date of incorporation is also
the date the Controller may commence Processing Personal Data, such as the Personal Data of directors, shareholders and other
statutory role holders. Each year, within one month of the expiry of the anniversary on which a Controller commenced
Processing Personal Data under the DPR 20201 it is also necessary to pay the renewal fee.
The amounts payable are set out in the Data Protection Regulations 2021 (Fees) Rules 2021.
As per Section 28 DPR each Controller and Processor to which the DPR applies must maintain a record of Processing activities in
writing. This can be in electronic form, but it does not necessarily need to be. The record of Processing activities must be made
available to the Commissioner of Data Protection upon request.
DATA PROTECTION OFFICERS
Controllers and Processors must appoint a DPO where:
the Processing is carried out by a public authority, except for courts acting in their judicial capacity;
the core activities of the Controller or the Processor consist of Processing operations which, by virtue of their nature,
scope and purposes, require regular and systematic monitoring of Data Subjects on a large scale; or
the core activities of the Controller or the Processor consist of Processing on a large scale of special categories of
Personal Data.
COLLECTION & PROCESSING
Data Controllers may Process Personal Data when any of the following conditions are met, as per Section 5(1) DPR:
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Abu Dhabi Global Market Free Zone 1053 | | | www.dlapiperdataprotection.com
the Data Subject has given Consent to the Processing of their Personal Data for one or more specific purposes. There are
detailed conditions for consent set out under Section 6 DPLs;
Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at
the request of the Data Subject prior to entering into a contract;
Processing is necessary for compliance with a legal obligation to which the Controller is subject under Applicable Law;
Processing is necessary to protect the vital interests of the Data Subject or of another natural person;
Processing is necessary for the performance of a task carried out by a public authority in the interests of ADGM, or in the
exercise of (i) ADGM’s; (ii) the Financial Services Regulatory Authority’s; (iii) the ADGM Court’s; or (iv) the Registration
Authority’s functions or in the exercise of official authority vested in the Controller under Applicable Law (as defined
under the DPR);
Processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a Third Party, except
where such interests are overridden by the interests or rights of the Data Subject which require protection of Personal
Data, in particular where the Data Subject is a Child.
Data Controllers may Process Special Categories of Personal Data when any of the following conditions are met:
the Data Subject has given explicit Consent to the Processing of their Special Categories of Personal Data for one or
more specified purposes;
Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the Controller or
of the Data Subject in the field of employment law, provided that when the Processing is carried out, the Controller has
an appropriate policy document in place in accordance with Section 7(3) DPR;
Processing is necessary to protect vital interests of the Data Subject or of another natural person where the Data Subject
is physically or legally incapable of giving Consent;
Processing is necessary for health purposes, including preventative or occupational medicine, the assessment of the
working capacity of an employee, medical diagnosis, the provision of health care or treatment or the management of
health care systems or services or pursuant to a contract with a health professional provided that Processing is by or
under the responsibility of a health professional subject to the obligation of professional secrecy or duty of confidentiality;
Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious threats
to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices;
Processing is necessary for Archiving and Research Purposes in accordance with Applicable Law;
Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association
or any other not-for-profit body including religious, cultural, educational, social or fraternal purposes or for other
charitable purposes and on condition that the Processing relates solely to the members or to former members of the
body or to persons who have regular contact with it in connection with its purposes and that the Personal Data is not
disclosed outside that body without the Consent of the Data Subjects;
Processing relates to Personal Data which is intentionally made public by the Data Subject;
Processing is required for the performance of a contract to which the Data Subject is party or in order to take steps at
the request of the Data Subject prior to entering into a contract;
Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their
judicial capacity; or
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Abu Dhabi Global Market Free Zone 1054 | | | www.dlapiperdataprotection.com
1.
2.
Processing is necessary for reasons of substantial public interest, provided that (unless specified otherwise) the Controller
has, when the Processing is carried out, an appropriate policy document in place in accordance with Section 7(3), where it
is necessary for:
the exercise of a function or requirement conferred on a person by Applicable Law;
the exercise of a function of the Board, Abu Dhabi or United Arab Emirate government;
the administration of justice;
equality of opportunity or treatment provided that the Processing does not, or is not likely to, cause substantial
damage or substantial distress to an individual; and it does not relate to an individual who has given written notice
to the Controller not to Process their Personal Data;
diversity at senior levels of organisations, where the Controller cannot reasonably be expected to obtain the
Consent of the Data Subject and is not aware of the Data Subject withholding Consent provided that the
Processing does not, or is not likely to, cause substantial damage or substantial distress to an individual;
the prevention or detection of an unlawful act or omission where the Processing must be carried out without the
Consent of the Data Subject so as not to prejudice this purpose; and if the Processing relates to the disclosure of
Personal Data to a relevant public authority an appropriate policy document in accordance with Section 7(3) need
not be in place for the Processing to be lawful under these Regulations;
the protection of the members of the public against dishonesty, malpractice or other seriously improper conduct,
unfitness or incompetence, mismanagement in the administration of a company, body or association, or failures in
services provided by a company, body or association where the Processing must be carried out without the
Consent of the Data Subject so as not to prejudice this purpose;
compliance with, or assisting other persons to comply with, a regulatory requirement which involves a person
taking steps to establish whether another person has committed an unlawful act or omission, or been involved in
dishonesty, malpractice or other seriously improper conduct where the Controller cannot reasonably be
expected to obtain the Consent of the Data Subject to the Processing;
the prevention of fraud in connection with Processing of Personal Data as a member of, or in accordance with
arrangements made by, an antifraud organisation;
the disclosure in good faith to an appropriate public authority regarding suspected terrorist financing, to identify
terrorist property or in relation to suspected money laundering, in accordance with Applicable Law; or
the publication of a judgment or other decision of a court or tribunal or if the Processing is necessary for the
purposes of publishing such a judgment or decision.
TRANSFER
International transfers
The DPR restricts the transfer of Personal Data out of the ADGM to a jurisdiction outside of the ADGM, or to an international
organisation. Transfer is interpreted broadly and covers not only an act of sending, but also making available Personal Data to an
individual or organisation in another jurisdiction. This includes transfer to onshore UAE based recipients.
There are various ways in which Personal Data can be legitimately transferred outside of the ADGM. Those are as follows:
transfer on the basis of an adequacy decision. The list of adequate jurisdictions can be . Note that these mayfound online
be updated from time to time as the Commissioner will monitor for any changes in law which could impact an adequacy
decision. When making its assessment the Commissioner will take account of the factors set out at Section 41(2) DPR;
https://www.dlapiperdataprotection.com
https://www.adgm.com/operating-inadgm/office-of-data-protection/jurisdictions
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Abu Dhabi Global Market Free Zone 1055 | | | www.dlapiperdataprotection.com
1.
2.
i.
ii.
iii.
iv.
v.
1.
i.
ii.
2.
i.
ii.
iii.
iv.
v.
vi.
vii.
transfer on the basis of appropriate safeguards without the need for Commissioner approval for the transfer. Those
include the following (provided always that the Controller or Processor has provided appropriate safeguards, and on
condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available):
a legally binding and enforceable instrument between public authorities;
binding corporate rules (BCRs);
standard data protection clauses adopted by the Commissioner of Data Protection ( ). Those areavailable online
broadly based on the recently issued EU SCCs;
a Commissioner approved code of conduct pursuant to Section 37 DPR together with binding and enforceable
commitments of the Controller or Processor in the jurisdiction outside of ADGM to apply the appropriate
safeguards, including as regards Data Subjects’ rights; or
a Commissioner approved certification mechanism pursuant to Section 39 DPR together with binding and
enforceable commitments of the Controller or Processor in the jurisdiction outside of ADGM to apply the
appropriate safeguards, including as regards Data Subjects’.
The Commissioner does not require exporters relying on (i) – (v) above to conduct a detailed analysis of the laws of the importing
jurisdiction, but recommends that exporters conduct due diligence on importing entities to ensure that they are capable of
meeting their commitments under (i) – (v) above (as applicable).
where the Commissioner has given its approval to:
contractual clauses between the Controller or Processor and the Controller, Processor or the recipient of the
Personal Data outside of ADGM or the international organisation; and
provisions to be inserted into administrative arrangements, including regulatory memorandums of understanding
between public authorities or domestic or international bodies which include enforceable and effective Data
Subject rights; or
transfers made on the basis of the set out under Section 44 DPR (some of which are subject to additional qualifications):
the Data Subject has explicitly consented to the proposed transfer, after having been informed of the possible
risks of such transfers for the Data Subject due to the absence of an adequacy decision and appropriate
safeguards;
the transfer is necessary for the performance of a contract between the Data Subject and the Controller or the
implementation of pre-contractual measures taken at the Data Subject’s request;
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the Data
Subject between the Controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is required by law enforcement agencies of the UAE in accordance with Applicable Law (as defined
under the DPR);
the transfer is necessary for the establishment, exercise or defence of legal claims (including judicial,
administrative, regulatory and out-of-court procedures); or
the transfer is necessary in order to protect the vital interests of the Data Subject or of another person, where
https://www.dlapiperdataprotection.com
https://www.adgm.com/documents/office-of-data-protection/templates/adgm-dpr-2021-article-26-sccs
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Abu Dhabi Global Market Free Zone 1056 | | | www.dlapiperdataprotection.com
2.
vii.
the Data Subject is physically or legally incapable of giving consent.
SECURITY
The obligation to provide appropriate technical and organisational (security) measures for Personal Data applies to both
Controllers and Processors. The DPR do not specify any particular security measures, rather it is up to the organisation to judge
what is appropriate in the circumstances taking into account:
the state of the art (i.e. the current state of technological development as appropriate to the context including: industry
practice; the type and scale of the Processing; and the availability of a product or solution in the market);
the costs of implementation;
the nature, scope, context and purposes of the Processing; and
the likelihood and severity of risks to Data Subjects’ rights (in particular from accidental or unlawful destruction, loss,
alteration, unauthorised disclosure of, or access to Personal Data).
Controllers must only use Processors that can give sufficient guarantees they will implement appropriate technical and
organisational measures to ensure their Processing will meet the requirements of the DPR and protect Data Subjects’ rights.
Controllers are primarily responsible for overall compliance with the DPR, and for demonstrating that compliance. If this isn’t
achieved, they may be liable to pay damages in legal proceedings or be subject to fines or other penalties or corrective measures
(see “Enforcement” below).
BREACH NOTIFICATION
In the event of a breach of any Personal Data held by a Data Processor, the Data Processor shall inform the Data Controller of
the incident without undue delay after becoming aware of the Personal Data Breach (Section 32(2) DPR).
If a Data Controller becomes aware of a Personal Data Breach, the Data Controller must inform the Commissioner of Data
Protection of the incident without undue delay, and where feasible, not later than 72 hours after becoming aware of it (Section
32(1) DPR).
When the Personal Data Breach is likely to result in a high risk to the rights of natural persons, the Controller must communicate
the Personal Data Breach to the Data Subject without undue delay.
ENFORCEMENT
Investigation and enforcement
The Commissioner has broad investigative powers under the DPR. Those include the power to:
order, by notice in writing, Controllers and Processors to provide any information it reasonably requires for the
performance of its duties and functions;
initiate investigations into a Controller’s or Processor’s compliance with the DPR;
it also has the power to access any equipment used to Process Personal Data (such as computers) and to take possession
of any relevant documentation or information. The Commissioner must give written notice of the decision to investigate
unless it believes that would likely result in the investigation being frustrated;
carry out investigations in the form of data protection audits;
carry out a review on certifications issued pursuant to Section 39 DPR;
notify Controllers and Processors of any alleged contravention; and
obtain, by notice in writing, from Controllers and Processors, access to all Personal Data and to all information reasonably
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Abu Dhabi Global Market Free Zone 1057 | | | www.dlapiperdataprotection.com
necessary for the performance of its duties and functions.
From an enforcement standpoint, the Commissioner has the power to:
issue and publish directions and warnings and make recommendations to Controllers and Processors that intended
Processing operations are likely to contravene the provisions of the DPR;
issue and publish directions and reprimands to Controllers and Processors where Processing operations have already
contravened provisions of the DPR;
order Controllers and Processors to comply with an individual’s requests to exercise his or her rights pursuant to the
DPR;
order Controllers and Processors to bring Processing operations into compliance with the provisions of the DPR, where
appropriate, in a specified manner and within a specified period;
order a Controller to communicate a Personal Data Breach to the individual, where it has not done so already;
impose a temporary or permanent limitation (including a ban) on Processing;
order the rectification or erasure of Personal Data or restriction of Processing pursuant to Sections 14, 15 and 16 DPR
and the notification of such actions to Recipients to whom the Personal Data has been disclosed, pursuant to Sections
15(2) and 17 of the DPR;
withdraw a certification if the requirements for the certification are not or are no longer met;
impose an administrative fine pursuant to Section 55 of the DPR, in addition to, or instead of, any of the other measures
set out under the DPR.
When considering whether to issue a fine the Commissioner will consider the circumstances on a case by case basis. For
particularly serious breaches the Commissioner may well issue a fine and issue an order for the infringing party to resolve its
infringement moving forwards;
order the suspension of data flows to a recipient inside or outside of ADGM or to an international organisation; and
where appropriate, refer contraventions DPR to the attention of the court and where appropriate, commence legal
proceedings, in order to enforce the provisions DPR.
The DPR also provides a mechanism for Data Subjects to lodge complaints with the Commissioner (Section 57 DPR), and bring
claims for compensation where they have suffered as a result of a contravention DPR by a“material or non-material damage”
Controller or Processor (Section 59 DPR).
ELECTRONIC MARKETING
According to Part 2 of the Commissioner’s Guidance, it is not always necessary to seek consent under the DPR to conduct direct
marketing activities, such as sending marking emails. In many cases, it will be possible to rely upon legitimate interests (Section
5(1)(f) DPR) as the relevant legal basis for Processing. If relying on legitimate interests, it is important to ensure that individuals are
given the right to object both at the point at which their Personal Data is collected for direct marketing purposes, and within each
communication (for example, by way of an “unsubscribe link” in an email). A pre-ticked box may be sufficient when offering the
right to object at the point of data collection.
Whenever are relying on legitimate interests as the legal basis for Processing for direct marketing, consider whether the legitimate
interests in conducting the marketing are overridden by the interests or rights of the Data Subject. Depending on the context of
the direct marketing activities (for example, if the content of those marketing communications relates to products or services
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Abu Dhabi Global Market Free Zone 1058 | | | www.dlapiperdataprotection.com
which are sensitive in some way, such as health related services), there may be instances where it will not be appropriate to rely
on this as the relevant legal basis and consent would be more appropriate. Controllers must also ensure that they continue to
meet their obligation to comply with the principles of transparency and fairness under Section 4 DPR by clearly describing their
direct marketing activities in the applicable privacy notice.
ONLINE PRIVACY
The DPR does not contain specific provisions relating to online privacy, however, the broad provisions detailed above are likely to
apply. Note that “online identifiers” fall within the definition of Personal Data. In addition, as UAE criminal law applies in the
ADGM, the privacy principles laid out therein may apply (see ).UAE – General
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Eamon Holley
Partner
T +971 4 438 6293
eamon.holley@dlapiper.com
Alex Mackay
Associate
T +971 4 438 6160
alex.mackay@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/uae-general/law.html
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai (DIFC) 1059 | | | www.dlapiperdataprotection.com
UAE – DUBAI (DIFC)
Last modified 21 January 2021
LAW
Note: Please also see , , .UAE – General UAE – ADGM UAE – DHCC
In July 2020 the Dubai International Financial Centre (” “) brought DPL No. 5 of 2020 (“ ”) into effect, giving companies aDIFC DPL
three month transition period to update their compliance programs before it became enforceable on 1 October 2020. The DPL
replaced the existing DIFC data protection law (which was last updated in 2012), bringing it more closely in line with global privacy
standards, such as the General Data Protection Regulation 2016/679.
In addition, alongside the DPL a new set of accompanying Data Protection Regulations (“ ”) were introduced.DPRs
DEFINITIONS
Definition of Data Subject
The identified or Identifiable Natural Person to whom Personal Data relates.
Definition of Personal Data
Any data referring to an “Identifiable Natural Person”.
Definition of Identifiable Natural Person
A natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an
identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric,
physiological, mental, genetic, economic, cultural or social identity.
Definition of Special Categories of Personal Data
Personal data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political affiliations or
opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life and including genetic
data and biometric data where it is used for the purpose of uniquely identifying a natural person.
Definition of Process, Processed, Processes and Processing
Any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection,
recording, organization, structuring, storage and archiving, adaptation or alteration, retrieval, consultation, use, disclosure by
transmission, dissemination, transfer or otherwise making available, alignment or combination, restricting (meaning the marking of
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/uae-general/law.html
https://www.dlapiperdataprotection.com/countries/uae-abu-dhabi-global-market-free-zone/law.html
https://www.dlapiperdataprotection.com/countries/uae-dubai-health-care-city-free-zone/law.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai (DIFC) 1060 | | | www.dlapiperdataprotection.com
stored Personal Data with the aim of limiting Processing of it in the future), erasure or destruction, but excluding operations or
sets of operations performed on Personal Data by:
a natural person in the course of a purely personal or household activity that has no connection to a commercial purpose;
or
law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal
offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security.
Definition of Substantial Public Interest
Includes, but is not limited to:
administration of justice, including criminal and regulatory investigations; and
exercise of a function conferred on a person by Applicable Law.
NATIONAL DATA PROTECTION AUTHORITY
The Commissioner of Data Protection (“ ”) is essentially the regulating body in the DIFC from a data protectionCommissioner
standpoint.
The Commissioner of Data Protection
Dubai International Financial Centre Authority
Level 14, The Gate
P.O. Box 74777
Dubai
United Arab Emirates
commissioner@dp.difc.ae
Tel: +971 4 362 2222
REGISTRATION
Controllers and Processors are required to submit a notification to the Commissioner via the DIFC’s online portal (the “
”) (Article 14 (7) DPL) and to keep that up Notification to date. Notification
The Notification must contain the following information:
a general description of the Personal Data Processing being carried out;
an explanation of the purpose for the Personal Data Processing;
the Data Subjects or class of Data Subjects whose Personal Data is being Processed;
a description of the class of Personal Data being Processed; and
a statement of jurisdictions to which Personal Data will be transferred by the Controller, along with an indication as to
whether the particular jurisdiction has been assessed as having an adequate level of protection for the purposes of articles
26 and 27 of the DPL.
The information set out within the Notification will be available on the DIFC’s public register.
Where an organisation is required to appoint a Data Protection Officer (see ), the DPO must complete an “AnnualDPO
Assessment” in the form prescribed by the Commissioner.
DATA PROTECTION OFFICERS
Data Protection Officers (“ ”) are mandatory for:DPOs
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/uae-dubai-difc/data-protection-officers.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai (DIFC) 1061 | | | www.dlapiperdataprotection.com
DIFC Bodies (as defined under the DPL, other than courts acting in their judicial capacity); and
a Controller or Processor performing high risk Processing activities on a systematic or regular basis.
A Controller or Processor could also be required to appoint a DPO by the Commissioner.
A Group (defined under DPL) may appoint a single DPO provided that he is easily accessible to each entity in the Group. The
DPO must reside in the UAE unless he is an individual employed within the organisation’s Group and performs a similar function
for the Group on an international basis.
In addition, if a Controller or Processor is not required to appoint a DPO, it must still clearly allocate responsibility for oversight
and compliance with respect to data protection duties and obligations and provide details to the Commissioner (i.e. the person
appointed, pursuant to the DPL, to monitor, ensure and enforce compliance with the DPL).
(Article 16 DPL)
COLLECTION & PROCESSING
Data Controllers may collect and Process Personal Data when any of the following conditions are met (set out under Article 10
DPL):
a Data Subject has given consent, which complies with the comprehensive consent requirements set out under Article 12
of the DPL, to the Processing of that Personal Data for specific purposes;
Processing is necessary for the performance of a contract to which a Data Subject is a party, or in order to take steps at
the request of a Data Subject prior to entering into such contract;
Processing is necessary for compliance with applicable law that a Controller is subject to;
Processing is necessary in order to protect the vital interests of a Data Subject or of another natural person;
Processing is necessary for:
performance of a task carried out by a DIFC Body in the interests of the DIFC;
exercise of a DIFC Body’s powers and functions; or
the exercise of powers or functions vested by a DIFC Body in a Third Party to whom Personal Data is disclosed
by the DIFC Body; or
Processing is necessary for the purpose of legitimate interests pursued by a Controller (or a third party to whom the
Personal Data has been made available, subject to Article 13 of the DPL which sets out certain restrictions on the ability
to rely upon legitimate interests), except where such interests are overridden by the interests or rights of a Data Subject.
Data controllers may collect and Process Special Categories of Personal Data when any of the following conditions are met (as per
Article 11 DPL), in addition to establishing one of the legal bases under Article 10, set out above:
a Data Subject has given explicit consent, which complies with the comprehensive consent requirements set out under
Article 12 of the DPL, to the Processing of those Special Categories of Personal Data for one (1) or more specified
purposes;
Processing is necessary for the purpose of carrying out the obligations and exercising the specific rights of a Controller or
a Data Subject in the context of the Data Subject’s employment, including but not limited to recruitment, visa or work
permit Processing, the performance of an employment contract, termination of employment, the conduct of proceedings
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai (DIFC) 1062 | | | www.dlapiperdataprotection.com
relating to employment and the administration of a pension, retirement or employee money purchase benefit scheme;
Processing is necessary to protect the vital interests of a Data Subject or of another natural person, where the Data
Subject is physically or legally incapable of giving consent;
Processing is carried out by a foundation, association or any other non-profit-seeking body in the course of its legitimate
activities, subject to appropriate assurances and provided that the Processing relates:
solely to the members or former members of such an entity; or
to other persons who have regular contact with such a body in connection with its purpose,
and the Personal Data is not disclosed to a Third Party without the consent of a Data Subject;
Processing relates to Personal Data that has been made public by a Data Subject;
Processing is necessary for the establishment, exercise or defence of legal claims (including, without limitation, arbitration
and other structured and commonly recognised alternative dispute resolution procedures, such as mediation) or is
performed by the Court acting in its judicial capacity;
Processing is necessary for compliance with a specific requirement of Applicable Law to which a Controller is subject, and
in such circumstances the Controller must provide a Data Subject with clear notice of such Processing as soon as
reasonably practicable unless the obligation in question prohibits such notice being given;
Processing is necessary to comply with Applicable Law that applies to a Controller in relation to anti-money laundering or
counter-terrorist financing obligations or the prevention, detection or prosecution of any crime;
Processing is required for the purposes of preventive or occupational medicine, the assessment of the working capacity of
an employee, medical diagnosis, the provision of health or social care or the treatment or the management of health or
social care systems and services, provided that the Personal Data is Processed by or under the responsibility of a health
professional subject to an obligation of professional secrecy under applicable law or by another person also subject to an
obligation of secrecy under applicable law;
Processing is required for protecting members of the public against dishonesty, malpractice, incompetence or other
improper conduct of persons providing banking, insurance, investment, management consultancy, information technology
services, accounting or other services or commercial activities (either in person or indirectly by means of outsourcing),
including any resulting financial loss; or
Processing is proportional and necessary to protect a Data Subject from potential bias or inaccurate decision making,
where such risk would be increased regardless of whether Special Category Personal Data is Processed.
Processing is necessary for Substantial Public Interest reasons that are proportionate to the aim(s) pursued, respect the
principles of data protection and provide for suitable and specific measures to safeguard the rights of the Data Subject.
Information Provision
Controllers are required to provide Data Subjects with certain information around how their Personal Data is processed in a
concise, transparent, intelligible and easily accessible form, using clear and plain language. The information required to be provided
is set out in detail under Part 5 of the DPL.
Where the Controller collects the Personal Data from the Data Subject, the information must be provided at the time of
collection. (Article 29 DPL)
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai (DIFC) 1063 | | | www.dlapiperdataprotection.com
Where the Controller does not collect the Personal Data from the Data Subject, the Controller must provide the information:
no longer than one (1) month from obtaining the Personal Data; or
if the Personal Data is used for communicating with the Data Subject, no later than the first communication; or
if a disclosure (including the making available for Processing) to a Processor or a third party is envisaged, no later than the
time when the Personal Data is first disclosed.
(Article 30 DPL)
TRANSFER
As per Article 26 DPL, Personal Data may be transferred out of the DIFC:
to a country or jurisdiction that has been determined to have adequate protections (see Adequate Data Protection
); orRegimes
if it takes place in accordance with Article 27 DPL.
Article 27 DPL provides that:
A transfer or a set of transfers of Personal Data to a Third Country (i.e. Anywhere other than the DIFC, including onshore UAE)
or an International Organisation (as defined within the DPL) may take place on condition that:
the Controller or Processor in question has provided appropriate safeguards (as described in Article 27(2), set out
below)), and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available;
one of the specific derogations in Article 27(3) (set out below) applies; or
the limited circumstances in Article 27(4) (set out below) apply.
Article 27 (2) DPL provides that the appropriate safeguards referred to at (a) above may be provided for by:
a legally binding instrument between public authorities;
Binding Corporate Rules (i.e. Personal Data protection policies and procedures, aggregated or incorporated in a single
written document, which regulate the transfer of Personal Data between members of a Group, legally bind such members
to comply, and which contain provisions for the protection of such Personal Data);
standard data protection clauses adopted by the Commissioner, which are modelled on the EU Standard Contractual
Clauses (available on the DIFC website);
an approved code of conduct pursuant to Article 48 together with binding and enforceable commitments of the
Controller or Processor in the third country or the International Organisation to apply the appropriate safeguards,
including regarding a Data Subject’s rights; or
an approved certification mechanism pursuant to Article 50 DPL together with binding and enforceable commitments of
the Controller or Processor in the Third Country or the International Organisation to apply the appropriate safeguards,
including regarding Data Subjects’ rights.
Article 27 (3) DPL sets out the following derogations:
a Data Subject has explicitly consented to a proposed transfer, after being informed of possible risks of such transfer due
to the absence of an adequacy decision or appropriate safeguards;
https://www.dlapiperdataprotection.com
https://www.difc.ae/business/operating/data-protection/adequate-data-protection-regimes/
https://www.difc.ae/business/operating/data-protection/adequate-data-protection-regimes/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai (DIFC) 1064 | | | www.dlapiperdataprotection.com
the transfer is necessary for the performance of a contract between a Data Subject and Controller or the implementation
of pre-contractual measures taken in response to the Data Subject’s request;
the transfer is necessary for the conclusion or performance of a contract that is in the interest of a Data Subject between
a Controller and a third party;
the transfer is necessary for reasons of Substantial Public Interest;
the transfer is necessary or legally required in the interests of the DIFC, including in the interests of the DIFC Bodies
relating to the proper discharge of their functions;
the transfer is necessary for the establishment, exercise or defence of a legal claim;
the transfer is necessary in order to protect the vital interests of a Data Subject or of other persons where a Data Subject
is physically or legally incapable of giving consent;
the transfer is made in compliance with applicable law and data minimisation principles from a register that is:
intended to provide information to the public; and
open for viewing either by the public in general or by any person who can demonstrate a legitimate interest;
subject to Article 28 DPL (which sets out the requirements for data sharing with public authorities), the transfer is:
The transfer is necessary for compliance with any obligation under applicable law to which the Controller is
subject;
The transfer is made at the reasonable request of a regulator, police or other government agency or competent
authority;
the transfer is subject to international financial standards, the transfer is necessary to uphold the legitimate interests of a
Controller recognised in international financial markets, except where such interests are overridden by the legitimate
interests of the Data Subject relating to the Data Subject’s particular situation; or
the transfer is necessary to comply with applicable anti-money laundering or counter-terrorist financing obligations that
apply to a Controller or Processor or for the prevention or detection of a crime.
Article 27(4) DPL provides that where a transfer could not be based on one of the aforementioned bases (including those at (a)
–(k) (thereby making data transfers more flexible under the DPL), such transfer to a Third Country or an International
Organisation may take place only if:
the transfer is not repeating or part of a repetitive course of transfers;
concerns only a limited number of Data Subjects;
is necessary for the purposes of compelling legitimate interests pursued by the Controller that are not overridden by the
interests or rights of the Data Subject; and
the Controller has completed a documentary assessment of all the circumstances surrounding the data transfer and has on
the basis of that assessment provided suitable safeguards with regard to the protection of Personal Data.
Under such circumstances the Controller is required to inform the Commissioner of any such transfer and to inform the Data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai (DIFC) 1065 | | | www.dlapiperdataprotection.com
Subject of the transfer and the compelling legitimate interests.
SECURITY
Controllers and Processors must implement appropriate technical and organisational measures to protect Personal Data against
wilful, negligent, accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access and against all
other unlawful forms of Processing, taking into account:
the nature, scope, context and purpose of the Processing;
the risks presented by the Processing to a relevant Data Subject; and
prevailing information security good industry practice.
They must also review and update such measures, where necessary, to reflect legal, operational and technical developments.
(Article 14 (2) DPL)
BREACH NOTIFICATION
If there is a Personal Data breach that compromises a Data Subject’s confidentiality, security or privacy, the data Controller must,
as soon as practicable in the circumstances (note that unlike the GDPR there is no hard deadline), notify the Personal Data breach
to the Commissioner. Such notifications must include, at a minimum, the following information:
description of the nature of the Personal Data breach including where possible, the categories and approximate number of
Data Subjects concerned and the categories and approximate amount of Personal Data records concerned;
the name and contact details of the DPO or other contact point where more information can be obtained;
a description of the likely consequences of the Personal Data breach; and
describe the measures taken or proposed to be taken by the Controller to address the Personal Data breach, including,
where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide all of the information at (a) – (d) at the same time, the information may be
provided in phases, as it becomes available.
In addition, Processors must notify Controllers without undue delay after becoming aware of a Personal Data breach.
Controllers and Processors must fully co-operate with any investigation of the Commissioner in relation to a Personal Data
breach.
Controllers must also document in writing any Personal Data breaches, including the facts relating to the Personal Data breach, its
effects and the remedial action taken. The information recorded must be sufficient to enable the Commissioner to verify
compliance with the law and must be made available without delay on request.
(Article 41 DPL)
A Controller must make a notification to a Data Subject as soon as practicable in the circumstances (again, no hard deadline)
where a Personal Data breach is likely to result in a high risk to the security or rights of a Data Subject. If there is an immediate
risk of damage to the Data Subject, the Controller must promptly communicate with the affected Data Subject (for example,
where his or her banking details are the subject of the breach).
Where a communication to the individual Data Subjects would involve disproportionate effort, a public communication or similar
measure whereby the Data Subjects are informed in an “equally effective manner” will be sufficient.
Such notifications must include, at least, the information listed in (b) – (d) above, in clear and plain language. It must also, where
possible, make recommendations for the Data Subject to mitigate against any potential adverse effects.
The Guidance to the DIFC DPL (“ ”) recommends that Controllers and Processors have in place an incidentGuidance
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai (DIFC) 1066 | | | www.dlapiperdataprotection.com
management policy which enables them to comply with the law in a timely fashion. It recommends clear incident classification as
well as setting out the reporting requirements (including who to notify and when, with time being of the essence).
(Article 42 DPL)
ENFORCEMENT
The Commissioner has general powers to investigate and conduct inspections where it suspects that a Controller or Processor is
not operating within the law.
Where it concludes that the Controller or Processor is not acting in compliance with the DPL, it has the power to:
order it to do or refrain from doing any act or thing within such time as may be specified in the direction;
order it to refrain from Processing any Personal Data specified in the direction or to refrain from Processing Personal
Data for a purpose or in a manner specified in the direction;
issue an administrative fine in an amount he considers appropriate but not exceeding the amount specified in Schedule 2 in
respect of each contravention. The fines range from USD 10,000 to USD 100,000 and there are around 35 in total; and /
or
issue a general fine in an amount he considers appropriate and proportionate, taking into account the seriousness of the
contravention and the risk of actual harm to any relevant Data Subject.
There is also a process built into the DPL and the DPRs for disputing any action taken by the Commissioner, with an ultimate right
to challenge any action in court (Article 63 DPL).
Under the DPL Data Subjects also have the right to bring a claim for compensation where they suffer “material or non-material
damage” by reason of any contravention of the law.
The DPL also contains provisions allowing Data Subjects to make compensation claims in relation to contraventions of the data
protection law. Under the DPL, court proceedings can be initiated by the Commissioner as well as by Data Subjects.
ELECTRONIC MARKETING
The DPL requires Controllers to provide Data Subjects with various pieces of information when they process their personal data
(typically by way of a privacy notice, which must meet the detailed requirements set out Part 5 of the DPL), including whether the
personal data will be used for direct marketing purposes.
Whilst consent is not expressly required (implying that one of the other legal bases can potentially be relied upon), Data Subjects
do have the right to:
be informed before Personal Data is disclosed for the first time to third parties or used on their behalf for the purposes of
direct marketing, and to be expressly offered the right to object to such disclosures or uses; and
where Personal Data is Processed for direct marketing purposes, object at any time to such Processing, including Profiling
to the extent that it is related to such direct marketing.
(Article 34 DPL)
The Controller should also make clear in its Notification to the Commissioner that one of the purposes for which it Processes
Personal Data is that of direct marketing.
ONLINE PRIVACY
Where a Controller is offering online services through a platform, the default privacy preferences of the platform must be set such
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai (DIFC) 1067 | | | www.dlapiperdataprotection.com
that no more than the minimum Personal Data necessary to deliver or receive the relevant services is obtained or collected, and a
Data Subject should be:
prompted to actively select his privacy preferences on first use; and
able to easily change such preferences.
(Article 14(4) DPL)
In addition, Controllers are to make available a minimum of two methods (which may include, by way of example, post, telephone,
email or an online form) by which a Data Subject can contact the Controller to request to exercise his rights under the DPL. If the
Controller maintains a website, at least one method of contact must be made available , without thewithout charge via the website
need to submit data to create an account of any sort. (Article 40 DPL)
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Eamon Holley
Partner
T +971 4 438 6293
eamon.holley@dlapiper.com
Alex Mackay
Associate
T +971 4 438 6160
alex.mackay@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai Health Care City Free Zone 1068 | | | www.dlapiperdataprotection.com
UAE – DUBAI HEALTH CARE CITY FREE ZONE
Last modified 21 January 2021
LAW
Note: Please also see , , .UAE – General UAE – DIFC UAE – ADGM
The Dubai Healthcare City (“DHCC”), a healthcare free zone in Dubai, implemented DHCC Health Data Protection Regulation
No 7 of 2013 (which repealed and replaces the DHCC Data Protection regulation No. 7 of 2008) (” “).HDPR
The HDPR regulates the protection of Patient Health Information, as opposed ‘personal data’.
Note that as opposed to the ICT Health Law, which applies to entities across the UAE, including within freezones such as the
DHCC (please see ), the DHCC HDPR only applies to those entities licensed within the DHCC and to patientUAE – General
information generated and stored therein.
DEFINITIONS
Definition of Patient Health Information
Information about a patient, whether spoken, written, or in the form of an Electronic Record, that is created or received by any
Licensee, that relates to the physical or mental health or condition of the patient, including the reports from any diagnostic
procedures and information related to the payment for services.
Definition of Licensee
A Licensed Healthcare Professional, Licensed Complementary and Alternative Medicine Professional, a Licensed Healthcare
Operator, an Approved Education Operator, an Approved Research Operator, a Licensed Commercial Company, or a
Non-Clinical Operating Permit Holder; (essentially a healthcare professional working in the DHCC with access to Patient Health
Information).
Definition of Process, Processed, Processes and Processing
Any operation or set of operations which is performed on Patient Health Information, whether or not by automatic means such as
collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment, erasure or destruction.
NATIONAL DATA PROTECTION AUTHORITY
The DHCC Board of Directors and the Executive Body of the Dubai Healthcare City Authority (” “) are responsible forDHCA
ensuring proper administration the HDPR and any Rules, Standards and Policies made under the HDPR.
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/uae-general/law.html
https://www.dlapiperdataprotection.com/countries/uae-dubai-difc/law.html
https://www.dlapiperdataprotection.com/countries/uae-abu-dhabi-global-market-free-zone/law.html
https://www.dlapiperdataprotection.com/countries/uae-general/law.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai Health Care City Free Zone 1069 | | | www.dlapiperdataprotection.com
The Centre for Healthcare Planning and Quality is responsible for the compliance and enforcement of the HDPR (” “).CPQ
Dubai Healthcare City Authority – Regulatory
Tel: +971-4-3838300
Fax: +971-4-3838300
info@dhcr.gov.ae
REGISTRATION
Not applicable.
DATA PROTECTION OFFICERS
There is a requirement for each Licensee, to have one or more Data Protection Officers. The responsibilities of the Data
Protection Officers include the encouragement of compliance by the Licensee with the HDPR; dealing with requests made to the
Licensee under the HDPR; and otherwise ensuring compliance by the Licensee with the provisions of the HDPR (section 40
HDPR).
COLLECTION & PROCESSING
Patient Health Information is not permitted to be collected by any Licensee, unless it is for a lawful purpose, and the collection is
necessary for that purpose (article 27 HDPR). However, the meaning of lawful purpose is not defined in the HDPR.
The Patient Health Information should be collected from the patient directly, unless the Lisensee believes on reasonable grounds
that:
the Patient concerned authorizes Collection of the information from someone else having been made aware of the
matters set out in section 29(1);
the Patient is unable to give his authority, and the Licensee having made the Patient’s Representative aware of the matters
set out in section 29(1) Collects the Patient Health Information from the Representative or the Representative authorizes
Collection from someone else;
compliance would prejudice the: (i) interests of the Patient; or (ii) purposes of collection; or (iii) safety of any individual;
compliance is not reasonably practicable in the circumstances of the particular case;
the Collection is for the purpose of assembling a family or genetic history of a Patient and is collected directly from that
Patient and/or the Patient’s Representative;
the Patient Health Information is Publicly Available Information;
the Patient Health Information: (i) shall not be used in a form in which the Patient is identified; (ii) shall be used for
statistical purposes and shall not be published in a form that could reasonably be expected to identify the Patient; or (iii)
shall be used for research purposes (for which approval by an ethics committee, if required, has been given) and shall not
be published in a form that could reasonably be expected to identify the Patient; or
non-compliance is necessary: (i) to avoid prejudice to the maintenance of the law including the prevention, detection,
investigation, prosecution, and punishment of offences; (ii) for the conduct of proceedings before any court or tribunal
(being proceedings that have been commenced or are reasonably in contemplation) (section 28 HDPR).
TRANSFER
Patient Health Information may only be transferred to a third party located in a jurisdiction outside DHCC if (1) an adequate level
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai Health Care City Free Zone 1070 | | | www.dlapiperdataprotection.com
of protection for that Patient Health Information is ensured by the laws and regulations that are applicable to the third party; and
(2) the transfer is either: (a) authorized by the Patient; or (b) necessary for the ongoing provision of Healthcare Services to the
Patient.
A jurisdiction shall be considered to have an adequate level of protection if that jurisdiction is listed as an acceptable jurisdiction
under the Dubai International Financial Center Data Protection Law No. 1 of 2007, or has the written approval of the Central
Governance Board.
The DHCC Healthcare Data Protection Regulation of 2008 contained a provision which permitted the transfer of Patient Heath
Information to a jurisdiction without adequate protection, if a permit was sought. However, this was removed under the HDPL
and the Central Government Board does not have the power to issue permits in respect of transfer to jurisdictions without an
adequate level of protection.
SECURITY
A Licensee is responsible for the security of its information systems and networks and should act in a timely and co-operative
manner to prevent, detect and respond to security incidents. A Licensee is further required review and assess the security of
information systems and networks and make appropriate modifications to security policies, practices, measure and procedures on
a regular basis. Any security incidents must be disclosed to the CPU on a periodic basis.
A Licensee that holds Patient Health Information must maintain the security of the Patient Health Information, ensuring it is stored
in a way that can be readily retrieved and easy removed or shared, as well as protecting the accuracy of the information. A
Licensee if further responsible for ensuring reasonable safeguards are put in place to protect the Patient Health Information from
loss, destruction, potential fire / water damage, tampering, theft, unauthorized access, use, modification, or disclosure (section 31,
HDPR).
BREACH NOTIFICATION
There is no specific requirement set out in the DPL obliging a Licensee to inform the CPQ in the event of a breach. Licensees are
required to inform the Customer Protection Unit (within CPQ) on a periodic basis of any security incidents.
ENFORCEMENT
The CPQ is responsible for the compliance and enforcement of the HDPR and may delegate its powers and duties to any
appropriate committee(s) constituted by it or to appropriate person(s) appointed by it (section 42 HDPR).
The powers, duties and functions of CPQ include: (a) conducting an audit of Patient Health Information when requested by a
Licensee for the purpose of ascertaining whether or not the information is maintained in accordance with the HDPR; (b)
monitoring the use of Personal Identifiers, and to reporting to the Executive Body from time to time on the results of that
monitoring, including any recommendations relating to the need for, or desirability of taking regulatory, administrative, or other
action to give protection, or better protection, to the Patient or the Licensee; and (c) monitoring compliance with the HDPR.
CPQ may require a Licensee to produce ospecififed information or documents when requested in writing, in relation to the
Processing of Patient Helath Information of a complaint about an Interference with Patient Health Information. If the Licensee
does not comply with the request, the CPQ may impose a Penalty as set out in a list to be published by the DHCA from time to
time (section 42).
It does not appear that the DHCA have produced any further information on the penalties that apply in relation to a breach of
HDPR. It is unclear how any breaches of the HDPR will be dealt with in the DHCC.
ELECTRONIC MARKETING
The HDPR does not contain specific provisions relating to electronic or direct marketing.
ONLINE PRIVACY
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – Dubai Health Care City Free Zone 1071 | | | www.dlapiperdataprotection.com
The HDPR does not contain specific provisions relating to online privacy, however, the broad provisions detailed above are likely
to apply. In addition, as UAE criminal law applies in the DHCC, the privacy principles laid out therein may apply (see UAE –
).General
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Eamon Holley
Partner
T +971 4 438 6293
eamon.holley@dlapiper.com
Alex Mackay
Associate
T +971 4 438 6160
alex.mackay@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/uae-general/law.html
https://www.dlapiperdataprotection.com/countries/uae-general/law.html
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – General 1072 | | | www.dlapiperdataprotection.com
UAE – GENERAL
Last modified 17 January 2022
LAW
Note: Please also see , , UAE – Dubai (DIFC) UAE – ADGM UAE – DHCC.
Generally
As part of the 50th anniversary of its founding, the United Arab Emirates (“ ”) has issued a set of sweeping legal reforms,UAE
including the much anticipated Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data Protection (“ ”),PDPL
which was issued on 26 September 2021.
The executive regulations to the PDPL (“ s”) are expected to be published before March 2022. ThereafterExecutive Regulation
organisations have a further six months from the date of the issuance of the Executive Regulations in which they can adjust
operations to compliance with the PDPL.
Reassuringly, the PDPL does not contain any major divergences from other well-known data protection regimes, including the
GDPR. In this regard we expect it will be welcomed by local, regional and international businesses, in particular those that rely
heavily upon personal data and international personal data flows. International businesses with global privacy compliance programs
should seek to expand those to cover the UAE and achieve some synergies. However, businesses that are not used to compliance
with laws like the GDPR may find some of the new obligations challenging; for example, the PDPL introduces rights for individuals
to access, rectify, correct, delete, restrict processing, request cessation of processing or transfer of data, and object to automated
processing. There are also new requirements around transfers of data outside of the UAE and requirements to keep data secure,
and to notify the new data protection regulator, and in some circumstances Data Subjects, of data breaches. The requirements
regarding keeping data secure, and new data breach obligations, will definitely up the ante for businesses in the UAE to take cyber
security seriously.
Territorial Scope
The PDPL applies to:
processing of personal data of people residing in the UAE, or people having a business within the UAE;
each Controller or Processor inside the UAE, irrespective of whether the personal data they process is of individuals
inside or outside the UAE
each Controller or Processor located outside the UAE, who carries out processing activities of Data Subjects that are
inside the UAE.
Other data protection and privacy laws in the UAE
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/uae-dubai-difc/law.html
https://www.dlapiperdataprotection.com/countries/uae-abu-dhabi-global-market-free-zone/law.html
https://www.dlapiperdataprotection.com/countries/uae-dubai-health-care-city-free-zone/law.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – General 1073 | | | www.dlapiperdataprotection.com
The PDPL keeps intact existing data protection and privacy laws within the UAE’s financial free zones, DIFC and ADGM, as well as
the rules of the Dubai Health Care City, (links to our summaries are above) as well as applicable onshore laws regulating health
data and banking and credit data. For this reason the data protection landscape in the UAE (and the wider GCC region) remains
complex to navigate and somewhat fragmented, meaning that the application of the PDPL will need to be considered carefully.
There are several UAE federal level laws that contain various provisions in relation to privacy and the protection of personal data:
Constitution of the UAE (Federal Law 1 of 1971)
Crimes and Penalties Law (Federal Law 31 of 2021, abrogating Federal Law 3 of 1987)
Cyber Crime Law (Federal Law 5 of 2012 regarding Information Technology Crime Control) (as amended by Federal Law
No. 12 of 2016 and Federal Decree Law No. 2 of 2018), and
Regulating Telecommunications (Federal Law by Decree 3 of 2003 as amended), which includes several implementing
regulations/policies enacted by the Telecommunications and Digital Government Regulatory Authority (‘TDRA’) in respect
of data protection of telecoms consumers in the UAE.
There are also some federal level sectoral regulations in banking and finance, and in health, which should be considered.
The Central Bank Law (Federal Law No. 14 of 2018); Central Bank’s Consumer Protection Regulation
issued under Central Bank Notice No. 444 of 2021, and related Central Bank Consumer Protection
Standards issued under Notice No. 1158 of 2021 on Consumer Protection Standards
Article 120 of the Central Bank Law requires that all data and information related to customers should be considered confidential
in nature.
On 31 December 2020 the UAE Central Bank published its Consumer Protection Regulation. It applies to all Central Bank
Licensed Financial Institutions, which had one year in which to ensure their compliance.
Article 6 of the Consumer Protection Regulation requires that Licensed Financial Institutions must collect the minimal amount of
Consumer Data and information needed in respect of their licensed activities and remain in compliance with all other related laws
and treat Consumers’ information relationships and business affairs as private and confidential.
The Central Bank Consumer Protection Standards outline detailed requirements regarding how Licensed Financial Institutions
must comply with. These standards include Licensed Financial Institutions:
having a proper Data Management Control Framework;
using secure digital transaction processing and controls;
designating responsibility and accountability for the data management and protection function to a senior position in
management who reports directly to senior management;
ensuring personal data is:
collected for a lawful urpose directly related to the Licensed Financial Activities of the Licensed Financial
Institution;
adequate and not excessive in relation to the stated purpose; and
collected with appropriate security and protection measures against unauthorized or unlawful processing and
accidental loss, destruction, or damage.
notifying consumers prior to requesting consent to share consumer personal data;
obtaining express consent of consumers prior to use or sharing of their data;
retaining all personal data, documents, records and files securely for a minimum of 5 years;
notifying the Central Bank of any material data breaches, losses, destruction or alteration when they occur.
Central Bank’s Stored Value Facilities Regulation
On 30 September 2020 the UAE Central Bank issued a new Stored Value Facilities Regulation (“SVF Regulation”), repealing and
replacing the Regulatory Framework for Stored Values and Electronic Payment Systems it has issued in September 2016. While
the SVF Regulation makes amendments to the licensing and enforcement regime for SVF (on onshore UAE only; it does not apply
in, or affect, the DIFC and ADGM free zones), from a data protection perspective little has changed. The SVF Regulation applies
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – General 1074 | | | www.dlapiperdataprotection.com
to those providing Stored Value Facilities, which is now defined as “a facility (other than cash) for or in relation to which a Customer, or
another person on the Customer’s behalf, pays a sum of money (including Money’s Worth such as values, reward points, Crypto-Assets or
Virtual Assets) to the issuer, whether directly or indirectly, in exchange for: (a) the storage of the value of that money (including Money’s
Worth such as values, reward points, Crypto-Assets or Virtual Assets), whether in whole or in part, on the facility; and (b) the “Relevant
Undertaking”. SVF includes Device-based Stored Value Facility and Non-device based Stored Value Facility”.
Article 10 of the SVF Regulation requires that licensees providing SVF services ( ”) must have in place adequate“SVFLicensee
policies, measures and procedures to protect its information and accounting systems, databases, books and accounts, and other
records and documents from unauthorized access, unauthorized retrieval, tampering and misuse.
An SVF Licensee must also adequately protect customer data (including customer identification and transaction records) which are
required to be stored and maintained in the UAE. Such data can only be made available to the corresponding customer, the
Central Bank, other regulatory authorities following prior approval of the Central Bank, or by a UAE court order. An SVF
Licensee must store and retain all customer and transaction data for a period of five years from the date of the creation of the
customer data, or longer if required by other laws.
Article 8 of the SVF Regulation requires that outsourcing arrangements must also contain adequate data protection and data
handling controls.
ICT in Health Fields Law and Regulations, and Federal Ministerial Decision No 51 of 2021 Cases Allowing
the Storage and Transfer of Medical Data and Information Out of the State
On 6 February 2018 Federal Law No. 2 of 2018 on the Use of the Information and Communication Technology (“ ”) in HealthICT
Fields (“ ”) was issued. The primary purpose of the ICT in Health Fields Law is to establish a centralICT in Health Fields Law
electronic system of medical records for use within the health industry within the UAE.
Article 13 of the ICT in Health Fields Law states that the Health Information and data related to the health services provided in
the UAE may not be stored, processed, generated or transferred outside the UAE, unless in the cases defined by virtue of a
decision issued by the Health Authority of the relevant emirate in coordination with the Federal Ministry of Health.
The Minister of Health issued a decision on 28 April 2021 outlining the circumstances when Health Information can be transferred
outside of the UAE.
The UAE ICT in Health Fields Law applies to all Competent Entities.
“Competent Entity” is defined as “Any entity in the State providing medical services, health insurance or national health insurance services,
brokerage services, claims management services or electronic services in the medical field of any entity related, whether directly or indirectly,
to the implementation of the provisions hereof.”
“Health Information” is defined as “The health information that were processed and were given a visual, audible or readable indication,
and that may be attributed to the health sector, whether related to the health or insurance facilities or entities or to the health services
beneficiaries.”
On 22 April 2020 the Federal Cabinet issued Cabinet Resolution No. 32 of 2020 concerning the Regulations Concerning the Use
of the Information and Communications Technology in the Areas of Health (“ s”). TheICT in Health Fields Regulation
regulations provide further details, including on permission controls to access and use the central system, and on the storage and
exchange of information on the central system.
Dubai Data Law
In December 2015 the Dubai Government published the Dubai Law No. 26 of 2015 on the Regulation of Data Dissemination and
Exchange in the Emirate of Dubai, (” “). The purpose of the Dubai Data Law to collate and manage data thatDubai Data Law
relates to the emirate of Dubai and, where appropriate, to publish it as “Open Data” or at least ensure that it is shared it between
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – General 1075 | | | www.dlapiperdataprotection.com
authorised persons. This law is considered unique as it is the only one in the world we are aware of that provides a government
with the power to require designated private sector entities to provide to a government with information held by the company in
relation to a city, for the purposes of making that information Open Data.
DEFINITIONS
The PDPL contains the following definitions.
“Personal Data” is defined as any data relating to an identified natural person, or one who can be identified directly or indirectly by
way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or
one or more special features that express the physical, psychological, economic, cultural or social identity of such person. It also
includes Sensitive Personal Data and Biometric Data.
“Sensitive Personal Data” is defined as any data that directly or indirectly reveals a natural person’s family, racial origin, political or
philosophical opinions, religious beliefs, criminal records, biometric data, or any data related to the health of such person, such as
his/her physical, psychological, mental, genetic or sexual condition, including information related to health care services provided
thereto that reveals his/her health status.
“Biometric Data” is defined as Personal Data resulting from Processing, using a specific technique, relating to the physical,
physiological or behavioral characteristics of a Data Subject, which allows or confirms the unique identification of the Data Subject,
such as facial images or dactyloscopic data.
“Processing” is defined as any operation or set of operations which is performed on Personal Data using any electronic means,
including Processing and other means. This process includes collection, storage, recording, organization, adaptation, alteration,
circulation, modification, retrieval, exchange, sharing, use, or classification or disclosure of Personal Data by transmission,
dissemination or distribution, or otherwise making it available, or aligning, combining, restricting, blocking, erasing or destroying
Personal Data or creating models therefor.
“Automated Processing” is defined as Processing that is carried out using an electronic program or system that is automatically
operated, either completely independently without any human intervention, or partially independently with limited human
supervision and intervention.
“Controller” is defined as an establishment or natural person who has Personal Data and who, given the nature of his/her activity,
specifies the method, criteria and purpose of Processing such Personal Data, whether individually or jointly with other persons or
establishments.
“Processor” is defined as an establishment or natural person who processes Personal Data on behalf of the Controller, as directed
and instructed by the Controller.
“Data Subject” is defined as The natural person who is the subject of the Personal Data.
NATIONAL DATA PROTECTION AUTHORITY
At the date of writing this update the Data Office responsible for administering and enforcing the PDPL has not yet been
established.
The UAE Central Bank is responsible for its Consumer Protection Regulation and Standards, and the SVF Regulation.
The Ministry of Health and Prevention is responsible for the ICT in Health Fields Law.
The Telecommunications and Digital Government Regulatory Authority is responsible for the regulation of its Consumer
Protection Regulations.
REGISTRATION
There are no data protection registration requirements in the PDPL.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – General 1076 | | | www.dlapiperdataprotection.com
DATA PROTECTION OFFICERS
Processors and Controllers who are:
conducting data processing which would cause a high risk to the confidentiality and privacy of the Data Subject’s personal
data as a consequence of adopting new or data size-based technologies;
conducting data processing will involve a systematic and comprehensive assessment of sensitive personal data, including
profiling and automated processing; or
processing large volumes of sensitive personal data will be processed,
will need to appoint a DPO.
The DPO can be a staff member or someone working on a service contract and does not necessarily need to be located in the
UAE.
COLLECTION & PROCESSING
Data Protection Controls (Article 5)
Under the PDPL, Personal Data must be processed according to the following controls:
Processing must be made in a fair, transparent and lawful manner;
Personal Data must be collected for a specific and clear purpose, and may not be processed at any subsequent time in a
manner incompatible with that purpose. However, Personal Data may be processed if the purpose of Processing is similar
or close to the purpose for which such data is collected;
Personal Data must be sufficient for and limited to the purpose for which the Processing is made;
Personal Data must be accurate and correct and must be updated whenever necessary;
Appropriate measures and procedures must be in place to ensure erasure or correction of incorrect Personal Data;
Personal Data must be kept securely and protected from any breach, infringement, or illegal or unauthorized Processing
by establishing and applying appropriate technical and organizational measures and procedures in accordance with the laws
and legislation in force in this regard;
Personal Data may not be kept after fulfilling the purpose of Processing thereof. It may only be kept in the event that the
identity of the Data Subject is anonymized using the “Anonymization” feature;
Any other controls set by the Executive Regulations of this Decree Law.
Legal Bases for Processing (Article 4)
The PDPL prohibits Processing Personal Data without the consent of the Data Subject, except in the following cases:
if the Processing is necessary for the Controller or Data Subject to fulfill his/her obligations and exercise his/her legally
established rights in the field of employment, social security or laws on social protection, to the extent permitted by those
laws;
if the Processing is necessary to perform a contract to which the Data Subject is a party or to take, at the request of the
Data Subject, procedures for concluding, amending or terminating a contract;
if the Processing is necessary to protect the interests of the Data Subject;
if the Processing is for Personal Data that has become available and known to the public by an act of the Data Subject;
if the Processing is necessary to protect the public interest;
if the Processing is necessary to initiate or defend against any actions to claim rights or legal proceedings, or related to
judicial or security procedures;
if the Processing is necessary for the purposes of occupational or preventive medicine, for assessment of the working
capacity of an employee, medical diagnosis, provision of health or social care, treatment or health insurance services, or
management of health or social care systems and services, in accordance with the legislation in force in the State;
if the Processing is necessary to protect public health, including the protection from communicable diseases and
epidemics, or for the purposes of ensuring the safety and quality of health care, medicines, drugs and medical devices, in
accordance with the legislation in force in the State;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – General 1077 | | | www.dlapiperdataprotection.com
if the Processing is necessary for archival purposes or for scientific, historical and statistical studies, in accordance with the
legislation in force in the State;
if the Processing is necessary to fulfill obligations imposed by other laws of the State on Controllers;
any other cases set by the Executive Regulations.
Processing of Sensitive Personal Data
Unlike the GDPR, the PDPL does not impose more stringent controls around processing of Sensitive Personal Data, however if a
Controller or Processor is Processing that involves a systematic and comprehensive assessment of Sensitive Personal Data,
including profiling and automated processing, or if the Processing will be made on a large amount of Sensitive Personal Data, then
the Controller or Processor must appoint a Data Protection Officer (Article 10).
Article 21 also requires that DPIAs be conducted before Processing that will use any of the modern technologies that would pose
a high risk to the privacy and confidentiality of the Personal Data of the Data Subject, if the Processing will be made on a large
amount of Sensitive Personal Data (Article 21)
Transparency (Privacy Notices)
The PDPL contains a broad obligation to process personal data in a transparent manner. This obligation is not placed specifically
on either Controllers or Processors, so it can be assumed that it is intended to apply to both. Under other data protection laws,
the general transparency obligation is often tied to a clear obligation to provide a privacy notice to Data Subjects which meets
prescriptive content requirements. The PDPL does (yet) not have an express provision regarding this (although it is possible that
the Executive Regulations may do). However, the PDPL does give Data Subjects a detailed right of access (without charge) to the
types of information which would ordinarily be contained in a privacy notice. Moreover, per Article 13 of the PDPL, the
Controller is required to, in all cases and prior to the commencement of processing, provide Data Subjects with information
regarding:
the purposes of the processing;
the targeted sectors or establishments with whom the personal data will be shared, both within and outside the UAE; and
the protection measures for cross-border processing.
Therefore, in practice, Controllers may ultimately consider publishing privacy notices that contain, at least in broad terms, the
information that the Data Subject is entitled to seek under the PDPL.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data replicating those in the EU GDPR.
Controllers must provide information on action taken in response to requests within one calendar month as a default, with a
limited right for the controller to extend this period thereby a further two months where the request is onerous.
Right to obtain information (‘data access’) (Article 13)
A Data Subject is entitled to request access to and obtain the following information without charge:
the types of his/her Personal Data that is processed;
purposes of Processing;
decisions made based on Automated Processing, including Profiling;
targeted sectors or establishments with which his/her Personal Data is to be shared, whether inside or outside the State;
controls and standards for the periods of storing and keeping his/her Personal Data;
procedures for correcting, erasing or limiting the Processing and objection to his/her personal data;
protection measures for Cross-Border Processing;
procedures to be taken in the event of a breach or infringement of his/her Personal Data, especially if the breach or
infringement poses a direct and serious threat to the privacy and confidentiality of his/her Personal Data;
the process of filing complaints with the Data Office.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – General 1078 | | | www.dlapiperdataprotection.com
Right to request Personal Data transfer (‘data portability’) (Article 14)
The Data Subject has the right to obtain his/her Personal Data provided to the Controller for Processing in a structured and
machine-readable manner, so long as the Processing is based on the Consent of the Data Subject or is necessary for the fulfillment
of a contractual obligation and is made by automated means.
The Data Subject has the right to request the transfer of his/her Personal Data to another Controller whenever this is technically
feasible.
Right to correction or erasure (‘right to be forgotten’) (Article 15)
The Data Subject has the right to request the correction or completion of his/her inaccurate Personal Data held with the
Controller, and has the right to request the erasure of his/her Personal Data held with the Controller in any of the following
cases:
if his/her Personal Data is no longer required for the purposes for which it is collected or processed;
if the Data Subject withdraws his/her Consent on which the Processing is based;
if the Data Subject objects to the Processing or if there are no legitimate reasons for the Controller to continue the
Processing;
if his/her Personal Data is processed in violation of the provisions hereof and the legislation in force, and the erasure
process is necessary to comply with the applicable legislation and approved standards in this regard.
Right to restriction of Processing (Article 16)
The Data Subject has the right to oblige the Controller to restrict and stop Processing in any of the following cases:
if the Data Subject objects to the accuracy of his/her Personal Data, in which case the Processing shall be restricted to a
specific period allowing the Controller to verify accuracy of the data;
if the Data Subject objects to the Processing of his/her Personal Data in violation of the agreed purposes;
if the Processing is made in violation of the provisions hereof and the legislation in force.
The Data Subject has the right to request the Controller to continue to keep his/her Personal Data after fulfillment of the
purposes of Processing, if such data is necessary to complete procedures related to claiming or defending rights and legal
proceedings.
Right to stop Processing (Article 17)
The Data Subject has the right to object to and stop the Processing of his/her Personal Data in any of the following cases:
if the Processing is for direct marketing purposes, including Profiling related to direct marketing;
if the Processing is for the purposes of conducting statistical surveys, unless the Processing is necessary to achieve the
public interest;
if the Processing is in violation the controls referred to in Article 5 (referred to above)
The right not to be subject to automated decision making, including profiling (Article 18)
The Data Subject has the right to object to decisions issued with respect to Automated Processing that have legal consequences
or seriously affect the Data Subject, including Profiling. However, the Data Subject may not object to the decisions issued with
respect to Automated Processing in the following cases:
if the Automated Processing is included in the terms of the contract entered into between the Data Subject and
Controller;
if the Automated Processing is necessary according to other legislation in force in the State;
if the Data Subject has given his/her prior Consent on the Automated Processing.
TRANSFER
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – General 1079 | | | www.dlapiperdataprotection.com
Data transfers out of the UAE may be subject to different laws.
The PDPL imposes limitations on the international transfer of Personal Data to outside of the UAE. Similar to the concept of the
“adequate jurisdictions” in the EU, the Data Office is expected to approve certain territories as having sufficient provisions,
measures, controls, requirements and rules for protecting privacy and confidentiality of personal data. There are also various
other exceptions which exporters can rely on, although further details are awaited from the Data Office.
Article 10 of the SVF Regulation requires that customer data (including customer identification and transaction records) are
required to be stored and maintained in the UAE.
Article 13 of the ICT in Health Fields Law requires that Health Information and data related to the health services provided in the
UAE may not be stored, processed, generated or transferred outside the UAE, unless in the cases defined by virtue of a decision
issued by the Health Authority of the relevant emirate in coordination with the Federal Ministry of Health. Federal Ministerial
Decision No 51 of 2021 Cases Allowing the Storage and Transfer of Medical Data and Information Out of the State, outlines the
circumstances in which such Health Information may be transferred outside of the UAE.
In addition, in circumstances where telecommunications service providers provide subscriber information to affiliates or third
parties directly involved in the supply of the telecommunications services ordered by a subscriber, the third parties are required
to take all reasonable and appropriate measures to protect the confidentiality and security of the subscriber information, and use
such information only as needed for the provision of the requested services. Telecommunications service providers are required
to ensure that the contracts between them and any affiliate or third party holds the other party responsible for the privacy and
protection of the subscriber’s information (TDRA Consumer Protection Regulations v1.5, Article 20.8).
SECURITY
The PDPL imposes strict requirements around data security. Controllers and Processors are required to put in place sufficient
technical and organisational measures to protect and secure Personal Data, preserve its confidentiality and privacy, and ensuring
that such personal data is not breached, destroyed or altered. The measures which must be taken need to take into account the
nature, scope and purposes of processing and the possibility of risks to the confidentiality and privacy of the Data Subject’s
Personal Data. Put simply, this means the higher the risk of harm to the Data Subject and/or the higher the likelihood of a breach,
the greater the steps to secure personal data that need to be taken.
The UAE’s Federal Cabinet has issued Resolution No. 21 of 2013, concerning the Regulation of Information Security in Federal
Authorities. Although it applies to information security within UAE federal government bodies, the requirements of this
resolution might be passed on to contractors providing services to Federal government bodies when they are entering into service
supply agreements with such bodies. Similarly, contractors to emirate level government bodies may need to require with emirate
government security standards. Examples, include the Information Security Regulations of the Dubai Electronic Security Center.
Article 20.1 of the TDRA Consumer Protection Regulations v1.5 requires telecommunications service providers to “take all
Articlereasonable and appropriate measures to prevent the unauthorised disclosure or the unauthorised use of subscriber information”.
20.3 further stipulates that telecommunications service providers must take “all reasonable measures to protect the privacy of
, and that should beSubscriber Information that it maintains in its files, whether electronic or paper for” “reliable security measures”
employed.
The UAE Cyber Crime Law focuses on offences related to accessing data without permission and/or illegally (Articles 2 and 3),
including financial information (eg credit card information or bank account information) (Articles 12 and 13).
Based on the above, best practice from a UAE law perspective would be to take appropriate technical security measures against
unauthorised or unlawful processing of, and against accidental disclosure of, personal data. The measures taken must ensure a level
of security adequate enough to minimise the risk of liability arising out of a claim for breach of privacy made by a Data Subject.
BREACH NOTIFICATION
Article 9 of the PDPL requires that the Controller shall, immediately upon becoming aware of any infringement or breach of the
Personal Data of the Data Subject that would prejudice the privacy, confidentiality and security of such data, report such
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – General 1080 | | | www.dlapiperdataprotection.com
infringement or breach and the results of the investigation to the Office within such period and in accordance with such
procedures and conditions as set by the Executive Regulations. At the date of writing this update, the Executive Regulations have
not yet been published.
ENFORCEMENT
The PDPL does not specify penalties, but notes that the Cabinet shall, based on the proposal of the Office General Manager, issue
a decision specifying the acts that constitute a violation of the provisions of this Decree Law and the Executive Regulations thereof
and the administrative penalties to be imposed.
Despite this there remain possible methods of enforcement of other UAE privacy laws:
1. Where the unauthorised disclosure of personal data results in a breach of the Penal Code:
The Public Prosecutor in the Emirate where:
the party suspected of the breach (‘Offender’) resides; or
the disclosure occurred,
will have jurisdiction over a Data Subject’s complaint.
If after concluding investigations with the police, the Public Prosecutor is satisfied with the evidence compiled, charges may be
brought against the suspect.
The case would then be transferred to the Criminal Courts of First Instance. The Data Subject may attach a civil claim to the
criminal proceedings before the Courts have ruled on the case.
Pursuant to Article 432 of the Criminal Law, if the Courts find a suspect who by virtue of his profession, occupation, status, or
specialisation has access to a secret but discloses such secret in other than the cases permitted by Law, or who uses such secret
for his own benefit or the benefit of another person, unless such disclosure or use is authorised by the concerned person, may be
penalized by a fine of at least UAE Dirhams 20,000 (the fine is determined by the Courts) and/or an imprisonment for at least one
year.
Similarly, pursuant to Article 431 of the Criminal Law a punishment of shall be inflicted on any person“a jail sentence and a fine”
who interferes with the right to privacy and family life of individual by:
eavesdropping, or recording, or transmitting, through a device of any type, conversations done privately or by phone or
any other device.
taking or transmitting, through a device of any type, pictures of any person in private,
unless legally permitted or with the individual’s consent.
When ruling on the criminal case, the Criminal Courts would usually transfer a civil claim made by the Data Subject to the Civil
Courts of First Instance for further consideration. The Data Subject would need to prove the losses he/she has suffered as a direct
result of the disclosure of his/her personal data before the Civil Courts in order for damages to be awarded.
2. Where the unauthorised disclosure of personal data results in a breach of the Cyber Crime
Law:
The police in each Emirate have developed specialised cybercrime units to handle complaints that relate to breaches of the Cyber
Crime Law.
As above, the cybercrime unit in the Emirate where:
the Offender resides; or
where the disclosure occurred,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – General 1081 | | | www.dlapiperdataprotection.com
will have jurisdiction over a Data Subject’s complaint.
The cybercrime unit would investigate the case and decide whether or not to refer it to the Public Prosecutor in the same
Emirate. If the case is referred and the Public Prosecutor is satisfied with the findings of the cybercrime unit, charges would be
brought against the suspect. The same procedure identified above is then followed before the Courts.
If found guilty of an offence under the Cyber Crime Law, the punishment an Offender can receive varies depending on the nature
of the crime. Punishments range from temporary detention, a minimum prison sentence of between six months or one year
and/or a fine between AED 150,000 and 1,000,000 (Articles 2, 3, 7, 21 and 22 of the Cyber Crime Law). If found guilty of an
attempt to commit any of the relevant offences under the Cyber Crime Law, the punishment is half the penalty prescribed for the
full crime (Article 40).
3. Where the unauthorised disclosure or transfer of personal data results in a breach of the
Central Bank’s Consumer Protection Regulation or SVF Regulation:
The Central Bank may issue administrative penalties against Licensed Financial Institutions and SVF Licensees at their discretion. In
the case of the Consumer Protection Regulation they may include fines, replacing or restricting the powers of Senior Management
or Members of the Board.
4. Where the unauthorised disclosure of personal data results in a breach of the Telecoms Law
and Policies:
The TDRA is responsible for overseeing the enforcement of the Telecoms Law and in this regard may rely on the Police and
Public Prosecutor in the Emirate where, either:
the breach has occurred; or
where the suspect resides.
Where a licensed telecommunications service provider has breached the law, the subscriber/Data Subject generally needs to
complain first to the service provider about the breach, though a direct approach to the TDRA may be accepted by the them at
their discretion (Article 15.11.1 of the TDRA Consumer Protection Regulations v1.5).
The subscriber’s complaint needs to be submitted to the TDRA within three months of the date when the service provider last
took action . This three months requirement may be waived subject to the discretion of the TDRA (Article 15.11.1 of the TDRA
Consumer Protection Regulations v1.5).
After examining the complaint the TDRA may direct the service provider ‘to undertake any remedy deemed reasonable and
appropriate’ (Article 15.11.5 of the TDRA Consumer Protection Regulations v1.5).
ELECTRONIC MARKETING
There are no general laws in the UAE law covering electronic marketing, however the TDRA has issued a regulation governing
telecommunications licensees’ electronic communications with subscribers, as well as how they should monitor spam passing
through their networks. Articles 21 and 22 of the Cyber Crime Law and Article 20.5 of the TDRA’s Consumer Protection
Regulation v1.5, as described in the ‘Collection and Processing’ section above, are also worded widely enough to potentially apply
to electronic marketing. Article 22 of the Cyber Crime Law, for example, prohibits the use of various electronic devices in order
to disclose, without permission, confidential information that has been obtained through the course of a person’s duties.
The TDRA’s Unsolicited Electronic Communications Regulation states that telecommunications licensees are under a general
obligation to put all practical measures in place to minimise the transmission of Spam having a UAE Link across their
Telecommunications Networks, and where they are aware of Spam having a UAE Link sent to or from a particular Electronic
Address, they must take all practical means to end the transmission of that Spam and to prevent the future transmission of such
Spam. Spam is defined as Marketing Electronic Communications sent to a Recipient without obtaining the Recipient’s Consent.
Although the Unsolicited Electronic Communications Regulation is targeted and enforced against telecommunications licensees, it
effectively puts an obligation upon the licensees to minimise and prevent Spam from being transmitted through their networks.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World UAE – General 1082 | | | www.dlapiperdataprotection.com
ONLINE PRIVACY
There PDPL does not expressly cover online privacy, however the PDPL will apply to Processing online.
Although the UAE Criminal Law does not contain provisions directly relating to the internet, its provisions related to privacy are
broadly drafted and therefore could apply to online matters (such as Article 432 as described above).
Additionally, as described in , under certain circumstances, online privacy is protected through ArticlesCollection and Processing
21 and 22 of the Cyber Crime Law and the TDRA’s Consumer Protection Regulation. Unlawful access via the internet, by
electronic devices, of financial information (eg Credit Cards and Bank Accounts) without permission is also an offence under the
Cyber Crime Law (Articles 12 and 13).
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Eamon Holley
Partner
T +971 4 438 6293
eamon.holley@dlapiper.com
Alex Mackay
Associate
T +971 4 438 6160
alex.mackay@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/uae-general/collection-and-processing.html
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uganda 1083 | | | www.dlapiperdataprotection.com
UGANDA
Last modified 27 January 2020
LAW
Uganda recently enacted the Data Protection and Privacy Act, 2019 (Act) to supplement constitutional privacy protections under
Article 27 of the Constitution of the Republic of Uganda. The Act regulates personal data collection, processing, use and
disclosure, and applies to any person, entity or public body within or outside of Uganda who collects, processes, holds, or uses
personal data. The Act came into effect on 3 May 2019.
Sector specific laws further incorporate data protection provisions applicable to regulated activities, including:
The Access to Information Act, 2005
The Regulation of Interception of Communications Act, 2010
The Computer Misuse Act, 2011
The Registration of Persons Act, 2015
DEFINITIONS
Definition of Personal Data
Section 2 of the Act defines personal data as information about a person from which the person can be identified, such as
information relating to nationality, age, marital status, education level, occupation and identity data.
This information is considered personal data regardless of the form in which the information is recorded.
Definition of Sensitive Personal Data
Section 9 of the Act defines “special personal data” as data relating to the religious or philosophical beliefs, political opinions,
sexual life, financial information, health status or medical records of an individual.
NATIONAL DATA PROTECTION AUTHORITY
Section 4 of the Act establishes the National Information Technology Authority-Uganda as Uganda’s personal data protection
office. The office is not yet operational for data protection purposes.
REGISTRATION
Under Section 29 of the Act, the National Information Technology Authority-Uganda is authorized to maintain a data protection
register of every person, institution or public body that collects or processes personal data, including the purpose of data
collection or processing.
Registration requirements are not yet in effect, and are pending implementation of regulations to be enacted by the Minister of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uganda 1084 | | | www.dlapiperdataprotection.com
Information and Communications Technology.
DATA PROTECTION OFFICERS
Under Section 6 of the Act, covered entities are required to appoint a data protection officer responsible for ensuring compliance
with the Data Protection and Privacy Act. The Act does not provide specific criteria for the appointment of data protection
officers.
COLLECTION & PROCESSING
Restrictions on the collection or processing of the personal data
The Data Protection and Privacy Act restricts personal data collection and processing by:
Requiring entities to obtain informed consent prior to personal data collection or processing
Prohibiting the collection or processing of children’s personal data unless: (i) done with the prior consent of a parent /
guardian; (ii) necessary for compliance with the law; or (iii) for research or statistical purposes
Prohibiting the collection or processing of special personal data unless specifically permitted by law
Requiring that personal data be collected directly from the data subject, and only for a lawful or specific purpose related
to the functions or activities of the data collector or controller
Requiring data collectors, processors, and controllers to ensure that personal data is complete, accurate, up-to-date and
not misleading
Requiring that further processing of personal data be for a specific purpose related to the purpose for which personal data
was collected
Prohibiting personal data retention for a period longer than necessary to achieve the purpose for which data was collected
and processed, unless specifically authorized by the Act, and
Requiring destruction or de-identification of personal data records at the end of the retention period to prevent
reconstruction of personal data in an intelligible form.
TRANSFER
Section 19 of the Data Protection and Privacy Act permits processing or storage of personal data outside Uganda if:
Adequate measures are in place in the country in which the data is processed or stored, at least equivalent to protections
under the Act, or
With data subject consent.
SECURITY
Under Section 20 of the Act, data controllers, collectors and processors must secure the integrity of personal data in their control
or possession by adopting appropriate measures to prevent loss and unauthorized destruction, processing or access to personal
data.
Data controllers are specifically required to use measures that:
Identify reasonably foreseeable risks to personal data in their possession or control;
Establish and maintain appropriate precautions against the risks identified;
Regularly verify the effective implementation of the precautions; and
Ensure that the safeguards are continually updated in response to new risks and deficiencies.
In instances where personal data is processed by third parties, entities must ensure that data processors apply security safeguards
provided under the Act.
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uganda 1085 | | | www.dlapiperdataprotection.com
Section 23 of the Data Protection and Privacy Act imposes a duty on data processors, collectors and controllers to immediately
notify the National Information Technology Authority-Uganda of any reasonable belief that personal data has been accessed or
acquired by an unauthorized person.
ENFORCEMENT
Remedial orders
The Act empowers the National Information Technology Authority-Uganda to enforce penalties for violations of the Act which
include remedial orders and requiring compliance with data subject requests. Enforcement is generally triggered by complaints
lodged with the Authority by aggrieved individuals or by data subjects seeking to enforce rights under the Act.
Compensation
Ugandan courts may award compensatory damages to persons harmed by data collector, controller or processor violations of the
Act.
Sanctions
Fines – Entities that violate the Act are subject to a fine of up to 245 currency points (UGX 4.9 million). If an entity is a
corporation, Ugandan courts may penalize the corporation’s violations of the Act by ordering a fine of up to 2 percent of
the corporation’s annual gross turnover.
ELECTRONIC MARKETING
There is no specific electronic marketing regulation in Uganda.
ONLINE PRIVACY
There is no specific online privacy regulation.
KEY CONTACTS
Sebalu & Lule Advocates
www.sebalulule.co.ug/
Barnabas Tumusingize
Managing Partner
Sebalu & Lule Advocates
T +256 213 250 013
brt@sebalulule.co.ug
Paul Mbuga
Principal Associate
Sebalu & Lule Advocates
T +256 0312 2500013
mbuga@sebalulule.co.ug
Josephine Muhaise
Associate
Sebalu & Lule Advocates
T +256 414 233 063
jmuhaise@sebalulule.co.ug
https://www.dlapiperdataprotection.com
http://www.sebalulule.co.ug/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uganda 1086 | | | www.dlapiperdataprotection.com
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ukraine 1087 | | | www.dlapiperdataprotection.com
UKRAINE
Last modified 21 February 2022
LAW
The Law of Ukraine No. 2297 VI ‘On Personal Data Protection’ as of June 1, 2010 (Data Protection Law) is the main legislative act
regulating personal data protection in Ukraine. On December 20, 2012, the Data Protection Law was substantially amended by the
Law of Ukraine, ‘On introducing amendments to the Law of Ukraine’ ’On Personal Data Protection’ dated November 20, 2012,
No. 5491-VI. Additional significant changes to Data Protection Law were introduced by the Law of Ukraine ‘On Amendments to
Certain Laws of Ukraine regarding Improvement of Personal Data Protection System’ dated July 3, 2013, No. 383-VII which came
into force on January 1, 2014.
In addition to the Data Protection Law, certain data protection issues are regulated by subordinate legislation specifically
developed to implement the Data Protection Law, in particular:
Procedure of notification of the Ukrainian Parliament’s Commissioner for Human Rights on the processing of personal
data, which is of particular risk to the rights and freedoms of personal data subjects, on the structural unit or responsible
person that organizes the work related to protection of personal data during processing thereof (Notification Procedure)
Model Procedure of processing of personal data (Model Procedure)
Procedure of control by the Ukrainian Parliament’s Commissioner for Human Rights over the adherence of personal data
protection legislation
The Data Protection Law essentially complies with EU Data Protection Directive 95/46/EC.
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, executed in Strasbourg
on January 28, 1981 and the Additional Protocol to the Convention regarding supervisory authorities and trans-border data flows,
executed in Strasbourg on November 8, 2001 were ratified by the Ukrainian Parliament on July 6, 2010 (Convention on Automatic
Processing of Personal Data) and have become fully effective in Ukraine.
In addition, data protection is regulated by:
The Constitution of Ukraine dated June 28, 1996
The Civil Code of Ukraine dated January 16, 2003, No 435 IV
Law of Ukraine ‘On Information’ No 2657 XII, dated October 2, 1992
Law of Ukraine ‘On Protection of Information in the Information and Telecommunication Systems’ dated July 5, 1994 No.
80/94 VR
Law of Ukraine ‘On Electronic Commerce’ dated September 3, 2015, No 675-VIII
Some other legislative acts
Furthermore, on June 7, 2021 the new Draft Law “On Personal Data Protection” No. 5628 has been submitted to Ukrainian
Parliament. The said draft law is aimed at harmonizing Ukrainian data protection legislation with the standards enshrined by the
GDPR and Convention 108+ and is currently expecting to be considered by Ukrainian Parliament.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ukraine 1088 | | | www.dlapiperdataprotection.com
DEFINITIONS
Definition of personal data
Data Protection Law defines ‘personal data’ as data or an aggregation of data on an individual who is identified or can be precisely
identified.
Definition of sensitive personal data
There is no definition of ‘sensitive personal data’.
However, there is general prohibition to process personal data with regard to racial or ethnic origin, political, religious ideological
convictions, participation in political parties and trade unions, accusation in criminal offenses or conviction to criminal punishment,
as well as data relating to the health or sex life of an individual.
Processing of such data is allowed if unambiguous consent has been given by the personal data subject or based on exemptions
envisaged by Data Protection Law the processing is performed for the reasons of protection of vital interest of individuals,(eg,
healthcare purposes, in course of criminal proceedings, anti-terrorism purposes, etc.).
NATIONAL DATA PROTECTION AUTHORITY
Starting from January 1, 2014, Ukrainian Parliament’s Commissioner for Human Rights (Ombudsman) is the state authority in
charge of controlling the compliance of the data protection legislation.
REGISTRATION
As of January 1, 2014, the requirement of obligatory registration of personal data databases has been abolished. However,
according to new wording of Data Protection Law, personal data owners are obliged to notify the Ombudsman about personal
data processing which is of particular risk to the rights and freedoms of personal data subjects within 30 working days from
commencement of such processing. Pursuant to the Notification Procedure, the following types of personal data processing
requires obligatory notification to the Ombudsman:
Racial, ethnic, national origin
Political, religious ideological beliefs
Participation in political parties and/or organizations, trade unions, religious organizations or civic organization of
ideological direction
State of health
Sexual life
Biometric data
Genetic data
Criminal or administrative liability
Application of measures as part of pre-trial investigation
Any investigative procedures relating to an individual
Acts of certain types of violence used against an individual
Location and / or route of an individual
The Notification Procedure envisages that the application for notification shall contain, inter alia the following information:
Information about the owner of personal data
Information about the processor(s) of personal data
Information on the composition of personal data being processed
The purpose of personal data processing
Category(ies) of individuals whose personal data are being processed
Information on third parties to whom the personal data are transferred
Information on cross-border transfers of personal data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ukraine 1089 | | | www.dlapiperdataprotection.com
Information on the place (address) of processing of personal data
General description of technical and organizational measures taken by personal data owner in order to maintain the
security of personal data
Where any of information listed above is submitted to the Ombudsman and has changed, the owner of the personal data shall
notify the Ombudsman on such changes within 10 days from the occurrence of such change.
Additionally, the Notification Procedure requires the owners of personal data to notify the Ombudsman regarding the termination
of personal data processing which is of particular risk to the rights and freedoms of personal data subjects, within ten days of such
termination.
The Notification Procedure requires owners and processors of personal data that process personal data, which is of particular risk
to the rights and freedoms of personal data subjects, to notify the Ombudsman on establishing a structural unit or appointing a
person (data protection officer) responsible for the organization of work related to the protection of personal data during the
processing. Such notification shall be made within 30 days of establishing a structural unit or appointing a responsible person.
Information regarding the said notifications of the Ombudsman shall be published on the official website of the Ombudsman.
DATA PROTECTION OFFICERS
Data owners and processors processing personal data that is of particular risk to the rights and freedoms of personal data
subjects, must establish a special department or appoint a responsible person (data protection officer) to be responsible for the
personal data processing matters. Other owners and processors may either establish a department or appoint a responsible
person on a voluntary basis.
There are no requirements for the data protection officer to be a citizen or a resident in Ukraine. However, if he or she is a
foreign citizen under the general rule, a work permit must be obtained for him or her to hold such a position. There are no
particular penalties for the incorrect appointment of Data Protection Officer.
COLLECTION & PROCESSING
The Data Protection Law requires obtaining the consent of data subjects for the processing of their personal data. According to
the Data Protection Law, the consent of the data subject means the voluntary and intentional expression of will of the data subject
to the processing of personal data for the identified purposes, expressed in writing or in some other form. In the area of
e-commerce, consent may be granted in the process of registration of data subjects by “ticking” a consent box during registration,
provided that such a system does not allow processing of personal data before the consent is obtained. Under certain
circumstances, personal data may be processed without a data subject’s consent ( , legislative permission for processing ofeg
personal data, necessary to the conclusion and execution of a transaction or contract in favor of the data subject, protection of
interests of data subject or data owner).
Pursuant to the Data Protection Law, as a general rule, personal data subjects shall be informed, at the moment of collection of
their personal data of:
The owner of their personal data
The composition and content of their personal data being collected
Their rights
The purpose of their personal data collection, and
The persons to whom their personal data will be transferred
However, in cases when the personal data of individuals have been collected based on the following grounds, the personal data
subjects shall be informed of the above within 30 working days from the:
Legislative permission of the owner of the personal data on the processing of personal data exclusively for the purposes of
fulfilling its authorities
Conclusion and execution of a transaction where the data subject is a party or the transaction has been concluded in
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ukraine 1090 | | | www.dlapiperdataprotection.com
favor of the data subject, which preceded conclusion of a transaction at the request of the subject of personal data
Protection of vital interests of the data subject, or
Need to protect the legitimate interests of the owner of personal data and third parties, except where a data subject
requests that the processing of his/her personal data stops and the need to protect personal data prevails over such
interest
In addition, the Data Protection Law provides the data subject with the following rights:
To be aware of the sources of collection, location of his / her personal data, the purpose of data processing, the address
of the owner or processor of the personal data or to obtain the said information through his / her representatives
To obtain information in regards to the conditions of providing access to personal data, and in particular, information on
third parties, to which his / her personal data are transferred
To access his / her personal data
To obtain a reply within 30 calendar days from the date of the receipt of his / her request, informing the individual
whether his / her personal data is being processed and to receive the contents of such personal data
To provide the owner of personal data with the reasonable request to terminate the processing of his / her personal data
To provide a reasonable request to change or destroy his / her personal data by any owner and processor of the personal
data if the data is processed illegally or is inaccurate
To protect of his / her personal data from unauthorized processing and accidental loss, elimination or damage with
respect to intended encapsulation, not providing or the untimely provision of personal data, and to protect from providing
invalid or discrediting information regarding the individual
To appeal violations in the course of personal data processing to the Ombudsman or to the court
To introduce limitations as regards rights on its personal data processing while giving the consent
To use the means of legal protection in the case of violation of rights to personal data
To revoke its consent on personal data processing
To be aware of the mechanism of automatic personal data processing, and
To be protected from the automated decision that has legal effects
The owner of the personal data can entrust the processing of personal data to the processor pursuant to a written agreement
requiring that the processor process the personal data only for the purposes and in the amount permitted under the agreement.
The transfer of personal data to the processor is permitted only with consent of the data subject.
TRANSFER
In accordance with Data Protection Law, personal data may be transferred to foreign parties when there is an appropriate level of
protection of personal data in the respective state of the transferee. Pursuant to the Data Protection Law, such states include
member states of the European Economic Area and signatories to the EC Convention on Automatic Processing of Personal Data.
The list of the states ensuring an appropriate level of protection of personal data will be determined by the Cabinet of Ministers of
Ukraine.
Personal data may be transferred abroad based on one of the following grounds:
Unambiguous consent of the personal data subject
Cross-border transfer is needed to enter into or perform a contract between the personal data owner and a third party
in favor of the data subject
Necessity to protect the vital interests of the data subject
Necessity to protect public interest, establishing, fulfilling and enforcing of a legal requirement
Non-interference in personal and family life of the data subject, as guaranteed by the data owner
SECURITY
The data owners and processors must take appropriate technical and organizational measures to ensure the protection of
personal data against unlawful processing, including against loss, unlawful or accidental elimination, and also against unauthorized
access. In this regard, owners and processors processing personal data which is of particular risk to the rights and freedoms of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ukraine 1091 | | | www.dlapiperdataprotection.com
personal data subjects shall determine a special department or a responsible person to organize the work related to the
protection of personal data during the processing thereof (other owners and processors may either establish a department or
appoint a responsible person on a voluntary basis).
The Model Procedure stipulates that the owners and processors of personal data shall take measures to maintain the security of
personal data in all stages of their processing, including organizational and technical measures for the protection of personal data.
Organizational measures shall include:
Determination of a procedure of access to personal data by employees of the owner / processor of personal data
Determination of the order of the recording of operations related to the processing of personal data o and access to
them
Elaboration of an action plan in case of unauthorized access to personal data, damage of technical equipment or
occurrence of emergency situations, and
Regular trainings of employees working with personal data
Personal data, irrespective of the manner of its storage, shall be processed in the way which makes unauthorized access to the
data by third persons impossible.
With the purpose of maintenance of security of personal data, technical security measures shall be taken which would exclude the
possibility of unauthorized access to personal data being processed and ensure the proper work of technical and program complex
through which the processing of personal data is performed.
Additionally, the Data Protection Law requires establishing a structural unit or appointing a responsible person within the personal
data owners / processors processing the personal data which is of particular risk to the rights and freedoms of personal data
subjects. Such structural unit or responsible person shall organize the work related to protection of personal data during the
processing thereof.
BREACH NOTIFICATION
There is no requirement to report data security breaches or losses to the appropriate state authority.
ENFORCEMENT
According to Data Protection Law, the Ombudsman and Ukrainian courts are responsible for overseeing the compliance of
personal data protection legislation. Failure to comply with the provisions of Data Protection Law can lead to the penalties
prescribed by the law.
Violation of personal data protection legislation may result in civil, criminal and administrative liability.
If the violation has led to material or moral damages, the violator may be required by the court to reimburse such damages.
The Code of Ukraine on Administrative Offenses envisages administrative liability for the following breaches of Ukrainian data
protection legislation:
Failure to notify or delay in providing notification to the Ombudsman regarding the processing of personal data or of a
change to the information submitted, subject to notification requirements under Ukrainian legislation, or submission of
incomplete or false information, which may lead to a fine of up to EUR 223;
Non-fulfilment of legitimate requests (orders) from the Ombudsman or determined state officials of the Ombudsman’s
secretariat, regarding the elimination or prevention of violations of personal data protection legislation, which may lead to
a fine of up to EUR 557;
Non-fulfillment of legitimate requests of Ombudsman or its representatives, which may lead to a fine of up to EUR 112;
Non-observance of the established procedure for the protection of personal data which leads to the unauthorized access
of the personal data or violation of rights of the data subject, which may lead to a fine of up to EUR 557.
The criminal liability, prescribed by the Criminal Code of Ukraine, envisages fines of up to EUR 557 or correctional works for a
term of up to two years, up to six months arrest, or up to three years of limitation of freedom for the illegal collection, storing,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Ukraine 1092 | | | www.dlapiperdataprotection.com
use, elimination, or spreading of confidential information about an individual, or an illegal change of such information.
ELECTRONIC MARKETING
The Law of Ukraine ’On Electronic Commerce’ dated September 3, 2015 provides for certain legal requirements for distribution
of commercial electronic messages in the area of electronic commerce. In particular, commercial electronic messages shall be
distributed only subject to the consent given by individual to whom such messages are addressed. At the same time, commercial
electronic messages may be distributed to an individual without his / her consent only if such individual has an option to object to
receiving such messages in future.
In addition, commercial electronic messages shall satisfy the following criteria:
Commercial electronic messages shall unequivocally be identified as such.
The recipient shall have easy access to information regarding the person sending the message as stipulated by the Law of
Ukraine ‘On Electronic Commerce’, in particular: (i) full name of legal entity / individual and place of registration /
residence; (ii) email / website of the online shop; (iii) registration number or tax ID number / passport details (for
individuals); (iv) license data (in case if it is mandatory under the law); (v) inclusion of taxes in calculation of the price of
goods / services; and (vi) price of delivery of goods (in case if delivery is performed).
Commercial electronic messages regarding sales, promotional gifts, premiums and etc. shall be unequivocally identified as
such and the conditions of receiving of such promotions shall be clearly stated to avoid their ambiguous understanding as
well as shall comply with advertising legislation.
ONLINE PRIVACY
There is no specific legislation regulating online privacy in Ukraine. However, the Data Protection Law applies to the extent online
activities involve the processing of personal data.
KEY CONTACTS
Kinstellar
www.kinstellar.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Natalia Kirichenko
Counsel, Head of Intellectual Property & Technology
Kinstellar Ukraine LLC
T +044 495 17 87
natalia.kirichenko@kinstellar.com
https://www.dlapiperdataprotection.com
https://www.kinstellar.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United Kingdom 1093 | | | www.dlapiperdataprotection.com
UNITED KINGDOM
Last modified 27 January 2021
LAW
Following the UK’s exit from the European Union, the UK Government has transposed the General Data Protection Regulation
(Regulation (EU) 2016/679) into UK national law (thereby creating the ). In so doing, the UK has made a number of “UK GDPR”
technical changes to the GDPR in order account for its status as a national law of the United Kingdom (e.g. to change references
to to ). These changes were made under the Data Protection, Privacy and“Member State” “the United Kingdom”
Electronic Communications (Amendments etc) (EU Exit) Regulations 2019. At this time, all material obligations on controller and
processors essentially remain the same under the UK GDPR as under the ‘EU GDPR’.
The Data Protection Act 2018 ( ) remains in place as a national data protection law, and supplements the UK GDPR“DPA”
regime. It deals with matters that were previously permitted derogations and exemptions from the EU GDPR (for example,
substantial public interest bases for the processing of special category data, and context-specific exemptions from parts of the
GDPR such as data subject rights).
In addition,
Part 3 of the DPA transposes the Law Enforcement Directive ((EU) 2016/680) into UK law, creating a data protection
regime specifically for law enforcement personal data processing;
Part 4 of the DPA updates the data protection regime for national security processing; and
Parts 5 and 6 set out the scope of the Information Commissioner’s mandate and her enforcement powers, and creates a
number of criminal offences relating to personal data processing.
A Trade and Cooperation Agreement ( ) was signed on 24 December 2020 between the European Union and the United“TCA”
Kingdom which sets out details of their future relationship, including with regards to personal data. Of particular relevance is the
creation of a six-month bridging period (from 1 January 2021) to enable the continued flow of personal data from the EEA to the
United Kingdom. Further details can be found in the section. Transfer
Territorial Scope
The application of the UK GDPR turns principally on whether an organization is established in the United Kingdom. As under the
EU GDPR, an ‘establishment’ may take a wide variety of forms, and is not limited to a company registered in the United Kingdom.
The UK GDPR also has extra-territorial effect, following the same principles as set out in the EU GDPR. As a result, an
organisation that it is not established within the United Kingdom will be subject to the UK GDPR if it processes personal data of
data subjects who are in the United Kingdom where the processing activities are related “to the offering of goods or services”
(Article 3(2)(a)) to such data subjects in the United Kingdom or (Article 3(2)(b)) as far as their “the monitoring of their behaviour”
behaviour takes place within the United Kingdom.
DEFINITIONS
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/countries/united-kingdom/transfer.html
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United Kingdom 1094 | | | www.dlapiperdataprotection.com
“Personal data” is defined as “any information relating to an identified or identifiable natural person” (Article 4). A low bar is set
for “identifiable” – if the natural person can be identified using “all means reasonably likely to be used” (Recital 26) the information
is personal data. A name is not necessary either – any identifier will do, such as an identification number, phone number, location
data or other factors which may identify that natural person.
Online identifiers are expressly called out in Recital 30, with IP addresses, cookies and RFID tags all listed as examples.
The UK GDPR creates more restrictive rules for the processing of “special categories” (Article 9) of personal data (including data
relating to race, religion, sexual life, data pertaining to health, genetics and biometrics) and personal data relating to criminal
convictions and offences (Article 10).
The UK GDPR is concerned with the “processing” of personal data. Processing has an extremely wide meaning, and includes any
set of operations performed on data, including the mere storage, hosting, consultation or deletion of the data.
Personal data may be processed by either a “controller” or a “processor”. The controller is the decision maker, the person who
“alone or jointly with others, determines the purposes and means of the processing of personal data” (Article 4). The processor
“processes personal data on behalf of the controller”, acting on the instructions of the controller. In contrast to the previous law,
the GDPR imposes direct obligations on both the controller and the processor, although fewer obligations are imposed on the
processor.
The “data subject” is a living, natural person whose personal data are processed by either a controller or a processor.
“Public authority” and “public body” are expressions used in the UK GDPR. The DPA defines them by reference to the definition
of “public authority” used in the Freedom of Information Act 2000.
The DPA also clarifies that, where the purpose and means of processing are determined by an enactment of law, then the person
on whom the obligation to process the data is imposed by the enactment is the controller.
NATIONAL DATA PROTECTION AUTHORITY
The Information Commissioner (whose functions are discharged through the Information Commissioner’s Office ) is the(“ICO”)
supervisory authority for the UK for the purposes of Article 51 of the UK GDPR. Following Brexit, the ICO no longer has
influence or membership in the European Data Protection Board and can no longer be nominated as a lead supervisory authority
under the EU GDPR regime. This is reflected in the UK GDPR which omits Chapter 7 (Cooperation and Consistency) of the EU
GDPR, on the basis that the UK will not be part of the EU’s cooperation and consistency mechanisms.
The ICO’s contact details are:
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
T +0303 123 1113 (or +44 1625 545745 if calling from overseas)
F 01625 524510
www.ico.org.uk
REGISTRATION
The UK operates a fee-paying scheme for controllers under the Data Protection (Charges and Information) Regulations 2018,
known as the ‘Data Protection Fee’. All controllers have to pay the data protection fee to the ICO annually, unless they are
exempt from doing so.
https://www.dlapiperdataprotection.com
https://ico.org.uk/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United Kingdom 1095 | | | www.dlapiperdataprotection.com
The UK Government has set the fee tiers based on its perception of the risks posed by controllers processing personal data. The
amount payable depends upon staff numbers and annual turnover or whether the controller is a public authority, a charity or a
small occupational pension scheme. Not every controller must pay a fee – there are exemptions. The maximum fee, for large
organisations, is GBP 2,900.
The maximum penalty for a controller who breaks the law by not paying a fee (or not paying the correct fee) is a fine of GBP
4,350 (150% of the top tier fee).
DATA PROTECTION OFFICERS
Under the UK GDPR, each controller or processor is required to appoint a data protection officer if it satisfies one or more of
the following tests:
it is a public authority;
its core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and
systemic monitoring of data subjects on a large scale; or
its core activities consist of processing sensitive personal data on a large scale.
Groups of undertakings are permitted to appoint a single data protection officer with responsibility for multiple legal entities
(Article 37(2)), provided that the data protection officer is easily accessible from each establishment (meaning that larger
corporate groups may find it difficult in practice to operate with a single data protection officer).
DPOs must have “expert knowledge” (Article 37(5)) of data protection law and practices, though it is possible to outsource the
DPO role to a service provider (Article 37(6)).
Controllers and processors are required to ensure that the DPO is involved “properly and in a timely manner in all issues which
relate to the protection of personal data” (Article 38(1)), and the DPO must directly report to the highest management level,
must not be told what to do in the exercise of his or her tasks and must not be dismissed or penalised for performing those tasks
(Article 38(3)).
The specific tasks of the DPO, set out in the UK GDPR, include (Article 39):
to inform and advise on compliance with the UK GDPR and other UK data protection laws;
to monitor compliance with the law and with the internal policies of the organization including assigning responsibilities,
awareness raising and training staff;
to advise and monitor data protection impact assessments where requested; and
to cooperate and act as point of contact with the supervisory authority.
COLLECTION & PROCESSING
Data Protection Principles
Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under
these principles, personal data must be (Article 5):
processed lawfully, fairly and in a transparent manner (the “lawfulness, fairness and transparency principle”);
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with
those purposes (the “purpose limitation principle”);
adequate, relevant and limited to what is necessary in relation to the purpose(s) (the “data minimization principle”);
accurate and where necessary kept up to date (the “accuracy principle”);
kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which
the data are processed (the “storage limitation principle”); and
processed in a manner that ensures appropriate security of the personal data, using appropriate technical and
organizational measures (the “integrity and confidentiality principle”).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United Kingdom 1096 | | | www.dlapiperdataprotection.com
The controller is responsible for and must be able to demonstrate compliance with the above principles (the “accountability
principle”). Accountability is a core theme of the UK GDPR. Organisations must not only comply with the UK GDPR but also be
able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record
keeping, audit and appropriate governance will all form a key role in achieving accountability.
Legal Basis under Article 6
In order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for
processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article
6(1)):
with the consent of the data subject (where consent must be “freely given, specific, informed and unambiguous”, and must
be capable of being withdrawn at any time);
where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of
the data subject prior to entering into a contract;
where necessary to comply with a legal obligation (under UK law) to which the controller is subject;
where necessary to protect the vital interests of the data subject or another person (generally recognised as being limited
to ‘life or death’ scenarios, such as medical emergencies);
where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority
vested in the controller; or
where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a
balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms
of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).
Special Categories of Personal Data
Processing of special categories of personal data is prohibited (Article 9), except where one of the following exemptions applies
(which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in
addition to an Article 6 basis):
with the explicit consent of the data subject;
where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and
social protection law or a collective agreement;
where necessary to protect the vital interests of the data subject or another natural person who is physically or legally
incapable of giving consent;
in limited circumstances by certain not-for-profit bodies;
where processing relates to the personal data which are manifestly made public by the data subject;
where processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in
their legal capacity;
where necessary for reasons of substantial public interest on the basis of United Kingdom law, proportionate to the aim
pursued and with appropriate safeguards;
where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical
diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border
threats to health or ensuring high standards of health care and of medical products and devices; or
where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical
purposes in accordance with restrictions set out in Article 89(1).
Schedule 1 to the DPA supplements the requirements for processing special categories of personal data, and also provides for a
number of ‘substantial public interest’ grounds that can be relied upon to process special categories of personal data in specific
contexts which are deemed to be in the public interest. Many of these grounds are familiar from the previous UK law, whilst
other are new. Important examples include:
processing required for employment law;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United Kingdom 1097 | | | www.dlapiperdataprotection.com
heath and social care;
equal opportunity monitoring;
public interest journalism;
fraud prevention;
preventing / detecting unlawful acts (eg money laundering / terrorist financing);
insurance; and
occupational pensions.
Criminal convictions and offences data (Article 10)
The processing of criminal conviction or offences data is prohibited by Article 10 of the UK GDPR, except where specifically
authorised under relevant member state law. Part 3 of Schedule 1 of the DPA authorises a controller to process criminal
conviction or offences data where the processing is necessary for a purpose which meets one of the conditions in Parts 2 of
Schedule 1 (this covers the conditions noted above other than processing for employment law, health and social care), as well as
number of other specific conditions:
consent;
the protection of a data subject’s vital interests; and
the establishment, exercising or defence of legal rights, the obtaining of legal advice and the conduct of legal proceedings
Appropriate policy and additional safeguards
In any case where a controller wishes to rely on one of the DPA conditions to lawfully process special category, criminal
conviction or offences data, the DPA imposes a separate requirement to have an appropriate policy document in place and apply
additional safeguards to justify the processing activity. The purpose of the policy document is to set out how the controller
intends to comply with each of the data protection principles in Article 5 of the UK GDPR in relation to this more sensitive
processing data activity.
Processing for a Secondary Purpose
Increasingly, organisations wish to ‘re-purpose’ personal data – i.e. use data collected for one purpose for a new purpose which
was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle
of purpose limitation; to ensure that the rights of data subjects are protected. The UK GDPR sets out a series of factors that the
controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were
initially collected (Article 6(4)). These include:
any link between the original purpose and the new purpose
the context in which the data have been collected
the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are
processed (with the inference being that if they are it will be much harder to form the view that a new purpose is
compatible)
the possible consequences of the new processing for the data subjects
the existence of appropriate safeguards, which may include encryption or pseudonymisation.
If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new
purpose are consent or a legal obligation.
Transparency (Privacy Notices)
The UK GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or
her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet
easily accessible, privacy notices should, therefore, be seen as a cornerstone of UK GDPR compliance.
Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using
clear and plain language (Article 12(1)).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United Kingdom 1098 | | | www.dlapiperdataprotection.com
The following information must be provided (Article 13) at the time the data are obtained:
the identity and contact details of the controller;
the data protection officer’s contact details (if there is one);
both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate
interests for processing;
the recipients or categories of recipients of the personal data;
details of international transfers;
the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object
to processing and data portability;
where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
the consequences of failing to provide data necessary to enter into a contract;
the existence of any automated decision making and profiling and the consequences for the data subject; and
in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that
further processing, providing the above information.
Different requirements apply (Article 14) where information has not been obtained from the data subject.
Rights of the Data Subject
Data subjects enjoy a range of rights to control the processing of their personal data replicating those in the EU GDPR.
Controllers must provide information on action taken in response to requests within one calendar month as a default, with a
limited right for the controller to extend this period thereby a further two months where the request is onerous.
Right of access (Article 15)
A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information
about the how the data have been used by the controller.
Right to rectify (Article 16)
Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.
Right to erasure (‘right to be forgotten’) (Article 17)
Data subjects may request erasure of their personal data. The right is not absolute; it only arises in quite a narrow set of
circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or
otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.
Right to restriction of processing (Article 18)
Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the
accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of
the data subject, or where the legitimate grounds for processing by the controller are contested.
Right to data portability (Article 20)
Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to
processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or
have transmitted to another controller all personal data concerning him or her in a structured, commonly used and
machine-readable format (e.g. commonly used file formats recognised by mainstream software applications, such as .xsl).
Right to object (Article 21)
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United Kingdom 1099 | | | www.dlapiperdataprotection.com
Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where
processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they
demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.
In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at
any time.
The right not to be subject to automated decision making, including profiling (Article 22)
Automated decision making (including profiling) “which produces legal effects concerning [the data subject] … or similarly
significantly affects him or her” is only permitted where:
necessary for entering into or performing a contract;
authorised by UK law; or
the data subject has given their explicit (i.e. opt-in) consent.
Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain
human intervention, to contest the decision, and to express his or her point of view. Further safeguards for automated decisions
that are necessary for entering into or performing a contract or which are authorised by UK law are set out in section 14 of the
DPA.
Child’s consent to information society services (Article 8)
Article 8(1) of the UK GDPR stipulates that a child may only provide their own consent to processing in respect of information
society (primarily, online) services, where that child is over 16 years of age, unless UK law applies a lower age. The DPA reduces
the age of consent for these purposes to 13 years for the UK.
TRANSFER
Transfers from the UK
Transfers of personal data by a controller or a processor to third countries outside of the United Kingdom are only permitted
where the conditions laid down in the UK GDPR are met (Article 44).
The United Kingdom Government has the power to make an in respect of a third country under the UKadequacy decision
GDPR (Article 45). This power is equivalent to the similar authorities granted to the EC has under the EU GDPR and involves the
Secretary of State making a positive determination that the third country provides for adequate level of data protection, following
which personal data may be freely transferred to that third country (Article 45(1)). Currently, the following countries or
territories enjoy UK adequacy decisions (these have all essentially been ‘rolled over’, on a temporary basis, from the EU GDPR):
Andorra, Argentina, Canada (with some exceptions), Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern
Republic of Uruguay and New Zealand. The UK is also treating all EU and EEA Member States as adequate jurisdictions, again on
a temporary basis. The United Kingdom intends to reassess all these adequacy decisions before the end of 2024. It also has the
power to make its own adequacy decisions, and likely time consider new candidates for UK adequacy.
Transfers to third countries are also permitted where have been provided by the controller orappropriate safeguards
processor and on condition that enforceable data subject rights and effective legal remedies for the data subject are available
(Article 46). The list of appropriate safeguards includes, amongst others, binding corporate rules and standard contractual clauses
with additional safeguards to guarantee an essentially equivalent level of protection to data subject’s and their personal data . 1
Schedule 21 to the DPA provides that the EU Commission approved standard contractual clauses may continue to be used for
transfers under the UK GDPR, until such time as they replaced by clauses issued by the UK Government. Note that the standard
contractual clauses carried into UK law are those which were in use as at the end of 2020. It is expected these will be updated
during the course of 2021.
Article 49 of the UK GDPR also includes a list of context specific , permitting transfers to third countries where:derogations
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United Kingdom 1100 | | | www.dlapiperdataprotection.com
explicit informed consent has been obtained;
the transfer is necessary for the performance of a contract or the implementation of pre-contractual measures;
the transfer is necessary for the conclusion or performance of a contract concluded in the interests of the data subject
between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest;
the transfer is necessary for the establishment, exercise or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject where consent cannot be obtained; or
the transfer is made from a register which according to domestic law is intended to provide information to the public,
subject to certain conditions.
There is also a very limited derogation to transfer where no other mechanism is available and the transfer is necessary for the
purposes of compelling legitimate interests of the controller which are not overridden by the interests and rights of the data
subject; notification to the supervisory authority and the data subject is required if relying on this derogation.
Transfers demanded by courts, tribunals or administrative authorities of countries outside the United Kingdom (Article 48) are
only recognised or enforceable (within the United Kingdom) where they are based on an international agreement such as a mutual
legal assistance treaty in force between the requesting third country and the United Kingdom; a transfer in response to such
requests where there is no other legal basis for transfer will infringe the UK GDPR.
Transfers from the EU to the UK
The UK is now a third country for the purposes of Chapter V of the EU GDPR. The trade agreement entered into between the
EU and the United Kingdom resolves this by making it lawful to transfer personal data from the EU to the United Kingdom for a
period of up to six months from 1 January 2021. This ‘bridging’ period is designed to allow the EU time needed to adopt a formal
adequacy decision which will allow the continuing flow of personal data to the United Kingdom at least for an interim period (this
is subject to the United Kingdom holding back from adopting any of its own adequacy decisions, or approving any new SCCs, that
go beyond those already approved by the EU, without prior EU approval). The EU-UK Joint Declaration, published alongside the
trade agreement, includes a clear commitment from the EU to secure a favourable adequacy decision for the United Kingdom
within the near term.
1. Following the decision of the Court of Justice of the European Union in the Data Protection Commissioner v. Facebook and Max
case (the ‘Schrems II’ case)Schrems
SECURITY
The UK GDPR is not prescriptive about specific technical standards or measures. Rather, the UK GDPR adopts a proportionate,
context-specific approach to security. Article 32 states that controllers and processors shall implement appropriate technical and
organisational measures to ensure a level of security appropriate to the risk of the processing. In so doing, they must take account
of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. A ‘one size fits all’
approach is therefore the antithesis of this requirement.
However the UK GDPR does require controllers and processors to consider the following when assessing what might constitute
adequate security:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical
incident; and
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for
ensuring the security of the processing.
BREACH NOTIFICATION
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United Kingdom 1101 | | | www.dlapiperdataprotection.com
The UK GDPR contains a general requirement for a personal data breach to be notified by the controller to the ICO, and for
more serious breaches to also be notified to affected data subjects. A “personal data breach” is a wide concept, defined as any
“breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
(Article 4).transmitted, stored or otherwise processed”
The controller must notify a breach to the ICO without undue delay, and where feasible, not later than 72 hours after having
become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of
natural persons. When the personal data breach is likely to result in a high risk to natural persons, the controller is also required
to notify the affected data subjects without undue delay (Article 34).
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming
aware of the breach (Article 33(2)).
The notification to the ICO must include where possible the categories and approximate numbers of individuals and records
concerned, the name of the organisation’s data protection officer or other contact, the likely consequences of the breach and the
measures taken to mitigate harm (Article 33(3)).
Controllers are also required to keep a record of all data breaches (Article 33(5)) (whether or not notified to the supervisory
authority) and permit audits of the record by the ICO.
Breaches in the United Kingdom can be reported to the ICO’s dedicated breach helpline during office hours (+44 303 123 1113).
Outside of these hours (or where a written notification is preferred) a pro forma may be downloaded and emailed to the ICO.
ENFORCEMENT
Fines
The UK GDPR empowers supervisory authorities to impose fines of up to 4% of annual worldwide turnover, or GBP 17.5 million
(whichever is higher).
It is the intention that fines should, where appropriate, be imposed by reference to the revenue of an economic undertaking
rather than the revenues of the relevant controller or processor. Recital 150 of the UK GDPR states that ‘undertaking’ should be
understood in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union, which prohibit
anti-competitive agreements between undertakings and abuse of a dominant position.
Fines are split into two broad categories.
The highest fines (Article 83(5)) of up to GBP 17.5 million or, in the case of an undertaking, up to 4% of total worldwide turnover
of the preceding year, whichever is higher, apply to infringement of:
the basic principles for processing including conditions for consent;
data subjects’ rights;
international transfer restrictions;
any obligations imposed by domestic law for special cases such as processing employee data; and
certain orders of a supervisory authority.
The lower category of fines (Article 83(4)) of up to GBP 8.7 million or, in the case of an undertaking, up to 2% of total worldwide
turnover of the preceding year, whichever is the higher, apply to infringement of:
obligations of controllers and processors, including security and data breach notification obligations;
obligations of certification bodies; and
obligations of a monitoring body.
The ICO is not required to impose fines but must ensure in each case that the sanctions imposed are effective, proportionate and
dissuasive (Article 83(1)).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United Kingdom 1102 | | | www.dlapiperdataprotection.com
Fines can be imposed in combination with other sanctions. To date, the ICO has issued several fines under GDPR, ranging from
GBP 275,000 to GBP 20 million.
Investigative and corrective powers
The ICO also enjoys wide investigative and corrective powers (Article 58) including the power to undertake on-site data
protection audits and the power to issue public warnings, reprimands and orders to carry out specific remediation activities.
Right to claim compensation
The UK GDPR makes specific provision for individuals to bring private claims against controllers and processors:
any person who has suffered “material or non-material damage” as a result of a breach of the UK GDPR has the right to
receive compensation (Article 82(1)) from the controller or processor. The inclusion of “non-material” damage means
that individuals will be able to claim compensation for distress even where they are not able to prove financial loss.
data subjects have the right to mandate a consumer protection body to exercise rights and bring claims on their behalf
(Article 80).
Individuals also enjoy the right to lodge a complaint with the ICO (Article 77).
All natural and legal persons, including individuals, controllers and processors, have the right to an effective judicial remedy against
a decision of the ICO concerning them or for failing to make a decision (Article 78).
Data subjects enjoy the right to an effective legal remedy against a controller or processor (Article 79).
The DPA sets out the specific enforcement powers provided to the ICO pursuant to Article 58 of the UK GDPR, including:
information notices – requiring the controller or processor to provide the ICO with information;
assessment notices – permitting the ICO to carry out an assessment of compliance;
enforcement notices – requiring the controller or processor to take, or refrain from taking, certain steps; and
penalty notices – administrative fines.
The ICO has the power to conduct a consensual audit of a controller or a processor, to assess whether that organisation is
complying with good practice in respect of its processing of personal data.
Under Schedule 15 of the DPA, the ICO also has powers of entry and inspection. These will be exercised pursuant to judicial
warrant and will allow the ICO to enter premises and seize materials.
The DPA creates two new criminal offences in UK law: the re-identification of de-identified personal data without the consent of
the controller and the alteration of personal data to prevent disclosure following a subject access request under Article 15 of the
GDPR. The DPA retains existing UK criminal law offences, eg offence of unlawfully obtaining personal data.
The DPA requires the ICO to issue guidance on its approach to enforcement, including guidance about the circumstances in which
it would consider it appropriate to issue a penalty notice, i.e. administrative fine.
The DPA also requires the ICO to publish statutory codes of practice on direct marketing and data sharing (preserving the
position under the previous law).
ELECTRONIC MARKETING
The UK GDPR will apply to most electronic marketing activities, as these will involve some use of personal data (e.g. an email
address which includes the recipient’s name). The most plausible legal bases for electronic marketing will be consent, or the
legitimate interests of the controller (which is expressly referenced as an appropriate basis by Recital 47). Where consent is relied
upon, the strict standards for consent under the UK GDPR are to be noted, and marketing consent forms will invariably need to
incorporate clearly worded opt-in mechanisms (such as the ticking of an unticked consent box, or the signing of a statement, and
not merely the acceptance of terms and conditions, or consent implied from conduct, such as visiting a website).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United Kingdom 1103 | | | www.dlapiperdataprotection.com
Data subjects have an unconditional right to object to (and therefore prevent) any form of direct marketing (including electronic
marketing) at any time (Article 21(3)).
Specific rules on electronic marketing (including circumstances in which consent must be obtained) are found in the Privacy and
Electronic Communications Regulations 2003 (as amended) ( ). The PEC Regulations are derived from“PEC Regulations”
European Union Directive 2002/58/EC (ePrivacy Directive), which have been retained in UK law post-Brexit.
The PEC Regulations prohibit the use of automated calling systems without the consent of the recipient. The PEC Regulations
also prohibit unsolicited electronic communications (ie by email or SMS text) for direct marketing purposes without prior consent
from the consumer unless:
the consumer has provided their relevant contact details in the course of purchasing a product or service from the person
proposing to undertake the marketing
the marketing relates to offering a similar product or service, and
the consumer was given a means to readily ‘opt out’ of use for direct marketing purposes both at the original point where
their details were collected and in each subsequent marketing communication.
Each direct marketing communication must not disguise or conceal the identity of the sender and include the ‘unsubscribe’ feature
referred to above.
The restrictions on marketing by email / SMS only applies in relation to individuals and not where marketing to corporate
subscribers.
Enforcement of a breach of the PEC Regulations is dealt with by the ICO. The maximum fine for a breach of the PEC Regulations
is GBP 500,000, which can be issued against a company or its directors. The ICO regularly issues fines for direct marketing
violations, and it is not uncommon for these to be in the hundreds of thousands of pounds range.
ONLINE PRIVACY
The PEC Regulations (as amended) deal with the collection of location and traffic data by public electronic communications
services providers ( ) and use of cookies (and similar technologies).”CSPs”
Traffic Data
Traffic Data held by a CSP must be erased or anonymised when it is no longer necessary for the purpose of the transmission of a
communication.
However, Traffic Data can be retained if:
it is being used to provide a value added service, and
consent has been given for the retention of the Traffic Data.
Traffic Data can also be processed by a CSP to the extent necessary for:
the management of billing or traffic
dealing with customer enquiries
the prevention of fraud, or
the provision of a value added service.
Cookie Compliance
The use and storage of cookies and similar technologies requires:
clear and comprehensive information, and
consent of the website user.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United Kingdom 1104 | | | www.dlapiperdataprotection.com
The ICO released comprehensive guidance on the use of cookies and similar technologies in 2019. In line with the standard for
‘GDPR like’ consent under the PEC Regulations, this guidance significantly raised the bar in terms of the ICO’s expectations for
cookie consent collection. It is now clear that the ICO expects consent to be collected on a clear opt-in basis – implied consent
(such as the continued browsing of a website after being shown a cookie banner) is no longer sufficient. Instead, cookie consent
modules that given users granular choices about cookie selection (typically on a ‘by purpose’ basis) are becoming the norm in
order to align with the guidance.
Consent is not required for cookies that are:
used for the sole purpose of carrying out the transmission of a communication over an electronic communications
network, or
strictly necessary for the provision of a service requested by the user.
Enforcement of a breach of the PEC Regulations is dealt with by the ICO. The maximum fine for a breach of the PEC Regulations
is GBP 500,000, which can be issued against a company or its directors.
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Andrew Dyson
Partner, Global Co-Chair Data Protection, Privacy and Security Group
T +44 (0)113 369 2403
andrew.dyson@dlapiper.com
Ross McKean
Partner
T +44 (0) 20 7796 6077
ross.mckean@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United States 1105 | | | www.dlapiperdataprotection.com
UNITED STATES
Last modified 24 January 2022
LAW
United States privacy law is a complex patchwork of national, state and local privacy laws and regulations. There is no
comprehensive national privacy law in the United States. However, the US does have a number of largely sector-specific privacy
and data security laws at the federal level, as well as many more privacy laws at the state (and local) level.
Federal and State Privacy Laws and Regulations
Federal laws and regulations include those that apply to financial institutions, telecommunications companies, credit reporting
agencies and healthcare providers, as well as driving records, children’s privacy, telemarketing, email marketing and
communications privacy laws.
There are also a number of state privacy and data security laws that overlap with federal law—some of these state laws are
preempted in part by federal laws, but others are not. US states have also passed privacy and data security laws and regulations
that apply across sectors and go beyond federal law—such as data security laws, secure destruction, Social Security number
privacy, online privacy, biometric information privacy, and data breach notification laws. Generally, each state’s laws apply to
personal information about residents of that state or activities that occur within that state. Thus, many businesses operating in the
United States must comply not only with applicable federal law, but also with a number of state privacy and security laws and
regulations.
For example, California alone has more than 25 state privacy and data security laws, including the recently enacted California
Consumer Privacy Act (CCPA), which introduced sweeping definitions and broad individual rights, and imposed substantial
requirements and restrictions on the collection, use and disclosure of personal information. While the CCPA was the first
cross-sector, comprehensive privacy law in the United States, several others have since been passed—including the California
Consumer Privacy Rights Act (CPRA), which takes effect January 1, 2023 and substantially amends the CCPA, expanding consumer
rights and imposing additional compliance obligations and restrictions related to the personal information about California
residents. The CPRA also established a new California enforcement agency, which is expected to lead to increased enforcement.
Beyond California, both Virginia and Colorado have enacted new comprehensive state privacy laws that take effect in 2023—the
Virginia Consumer Data Protection Act (effective January 1, 2023) the Colorado Privacy Act (effective July 1, 2023), respectively.
While not identical, the Colorado and Virginia laws are substantially similar to each other. Further, both are also generally
inapplicable to personal information collected about employees and business relationships. On the other hand, while the CPRA has
some practical similarities with the Colorado and Virginia laws, it adopts definitions, requirements and restrictions that vary
considerably from these laws, and also, notably, applies to personal information collected from California residents in employment
and B2B contexts. More information from DLA Piper on the CCPA and related issues is available at
.https://www.dlapiper.com/en/us/focus/ccpa/
In addition, a number of other US states have proposed state-level privacy legislation (including Florida, Maryland, and Oklahoma).
Thus, it is highly possible that additional state-level privacy laws will be enacted in the US in 2022.
https://www.dlapiperdataprotection.com
https://www.dlapiper.com/en/us/focus/ccpa/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United States 1106 | | | www.dlapiperdataprotection.com
Enforcement of Unfair and Deceptive Trade Practices
In the United States, consumer protection laws, which prohibit unfair and deceptive business practices, provide another avenue for
enforcement against businesses for their privacy and security practices.
At the federal level, the US Federal Trade Commission (FTC) uses its authority to protect consumers against unfair or deceptive
trade practices, to take enforcement actions against businesses for materially unfair privacy and data security practices. The FTC
uses this authority to, among other things, take enforcement actions and investigate companies for:
Failing to implement reasonable data security measures
Making materially inaccurate or misleading privacy and security statements, including in privacy policies
Failing to abide by applicable industry self-regulatory principles
Transferring or attempting to transfer personal information to an acquiring entity in a bankruptcy or M&A transaction, in a
manner not expressly disclosed on the applicable consumer privacy policy
Violating consumer privacy rights by collecting, using, sharing or failing to adequately protect consumer information, in
violation of standards established in their prior enforcement precedents
Many state attorneys general have similar enforcement authority over unfair and deceptive business practices, including failure to
implement reasonable security measures and violations of consumer privacy rights that harm consumers in their states. State
attorneys general also sometimes work together on enforcement actions against companies for actions that broadly affect the
consumers of multiple states (such as data breaches).
DEFINITIONS
Definition of personal data
Varies widely by law and regulation. The definition of personal information varies under US law. Some laws—such as data breach
and security laws—apply more narrowly, to sensitive personal information, such as government identifiers, financial account
information, password, biometrics, health insurance or medical information, and other information that can lead to identity fraud
and theft or financial harm. On the other hand, under a number of state and federal laws, personal information broadly includes
any information that identifies or is linked or reasonably linkable to an individual.
California
Under the CCPA and CPRA, personal information includes information that identifies, relates to, describes, is reasonably capable
of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. The
definition specifically includes name, alias, contact information, government IDs, biometrics, genetic data, location data, account
numbers, education history, purchase history, online and device IDs, and search and browsing history and other online activities, if
such information is linked or linkable with a particular consumer or household. Under the law, consumer is broadly defined as any
resident of California.
Colorado
Under the Colorado Privacy Act, personal data includes information that is linked or reasonably linkable to an identified or
identifiable individual, who is a Colorado resident acting an individual or household capacity ( , personal information aboutie
individuals acting in an employment or B2B context are not in scope).
Virginia
Under the Virginia Consumer Data Protection Act, personal data includes any information that is linked or reasonably linked to an
identified or identifiable natural person, who is a Virginia resident acting in an individual or household capacity ( , personalie
information about individuals acting in an employment or B2B context are not in scope).
Definition of sensitive personal data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United States 1107 | | | www.dlapiperdataprotection.com
Varies widely by sector and by type of statute.
Generally, includes personal health data, financial data, credit worthiness data, student data, biometric data, personal information
collected online from children under 13, and information that can be used to carry out identity theft or fraud are considered
sensitive, and subject to additional restrictions and regulations.
For example, state breach notification laws and data security laws generally apply to more sensitive categories of information, such
as Social security numbers and other government identifiers, credit card and financial account numbers, passwords and user
credentials, health or medical information, insurance ID, digital signatures, and/or biometrics.
California
The CPRA defines as personal information that reveals about a consumer one or more of thesensitive personal information
following types of information, including:
Social Security, driver’s license, state identification card or passport number
account log-in, financial account, debit card or credit card number in combination with any required security or access
code, password or credentials allowing access to an account
precise geolocation
racial or origin, religious or philosophical beliefs, or union membership
contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the
communication
genetic data
biometric information
health information
information about sex life or sexual orientation
The CCPA does not define sensitive personal information.
Virginia
Under the Virginia Consumer Data Protection Act, is defined as a category of personal data that includes datasensitive data
revealing racial or ethnic origin, religious beliefs, physical or mental health diagnosis, sexual orientation, or citizen or immigrant
status, as well as processing of genetic or biometric data for identification, precise geolocation data, and personal data collected
from a known child.
NATIONAL DATA PROTECTION AUTHORITY
There is no single national authority.
With some exceptions (such as for banks, credit unions and insurance companies), the FTC has jurisdiction over most commercial
entities and has authority to issue and enforce federal privacy regulations (including telemarketing, email marketing, and children’s
privacy) and to take enforcement action to protect consumers against unfair or deceptive trade practices, including materially
unfair privacy and data security practices.
Many state attorneys general have similar enforcement authority over unfair and deceptive business practices, including failure to
implement reasonable security measures and violations of consumer privacy rights that harm consumers in their states.
California
The California Attorney General has the authority to enforce the CCPA and CPRA (once in force) and most California consumer
privacy laws. Additionally, the CPRA establishes a new enforcement agency, the California Privacy Protection Agency (CPPA),
vested with administrative power and authority to implement and enforce the CPRA.
California consumers also have a private right of action, under both the CCPA and CPRA, for certain data breaches.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United States 1108 | | | www.dlapiperdataprotection.com
Colorado
The Colorado Attorney General has the authority to enforce the CPA
Virginia
The Colorado Attorney General has the authority to enforce the VCDPA.
In addition, a wide range of sector-specific regulators, particularly those in the healthcare, financial services, telecommunications
and insurance sectors, have authority to issue and enforce privacy and security regulations, with respect to entities under their
jurisdiction.
REGISTRATION
There is no requirement to register databases or personal information processing activities. However, two states impose certain
registration requirements on data brokers:
California
The CCPA (as amended in 2019) requires (subject to some exceptions) that data brokers register with the California Attorney
General. Under the law, a “data broker” is defined as a business that knowingly collects and sells to third parties the personal
information of a consumer with whom the business does not have a direct relationship. The terms “sell” and “personal
information” are defined as set forth in the CCPA.
Vermont
In 2018, passed a law requiring data brokers to register with the secretary of state and adhere to minimum data security
standards. Under the law a “data broker” is defined as a company that collects computerized, personal information of Vermont
residents with whom the company has no direct relationship, and either sell or licenses that information.
In addition, several state laws require entities that engage in certain types of telemarketing activities to register with the state
attorney general or other consumer protection agency.
DATA PROTECTION OFFICERS
With the exception of entities regulated by HIPAA, there is no general requirement to appoint a formal data security officer or
data privacy officer.
Massachusetts and some other state laws and federal regulations require organizations to appoint one or more employees to
maintain their information security program.
COLLECTION & PROCESSING
US privacy laws and self-regulatory principles vary widely, but generally require that a notice be provided or made available
pre-collection in a privacy policy) that discloses a company’s collection, use and disclosure practices, the related choices(eg,
consumers have regarding their personal information, and the company’s contact information.
Opt-in consent is required under certain circumstance to collect, use and disclose certain sensitive data, such as health
information, credit reports, financial information, children’s personal information, biometric data, video viewing choices,
geolocation data and telecommunication usage information.
The CPA (Colorado) and VCDPA (Virginia) require a business obtain consent from consumers to collect their sensitive data.
The (federal) Children’s Online Privacy Protection Act (COPPA) requires verifiable parental consent prior to the collection of any
personal information from children under 13. In addition, the CCPA and CPRA require that a business obtain explicit consent
prior to the sale of any personal information about a consumer that the business has “actual knowledge” is less than 16 years old,
and where the consumer is less than 13 years old, express parental authorization is required. (As discussed further below, the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United States 1109 | | | www.dlapiperdataprotection.com
definition of “sale” under the CCPA is very broad and may include online advertising and retargeting activities, for example.).
Under the CPRA, this concept expands to the concept of “sharing” a minor’s consumer personal information (as such term is
broadly defined under the CPRA).
Further, companies generally need to obtain opt-in consent prior to using, disclosing or otherwise treating personal information in
a manner that is materially different than what was disclosed in the privacy policy applicable when the personal information was
collected. The FTC deems such changes ‘retroactive material changes’ and considers it unfair and deceptive to implement a
retroactive material change without obtaining prior, affirmative consent. Under the CCPA (California), which applies to individual
and household data about California residents, businesses must, among other things:
At or before collection, notify consumers of the categories of personal information to be collected and the purposes of
use of such information
Post a privacy policy that discloses
the categories of personal information collected, categories of personal information disclosed for a business
purpose, and categories of personal information “sold” by the business in the prior 12 months
the purposes for which the business collects, uses and sells personal information
the categories of sources from which the business collects personal information
the categories of third parties to whom the business discloses personal information and
the rights consumers have regarding their personal information and how to exercise those rights
Includes a “do-not-sell my information” link on the business’s website and page where consumers can opt-out of the sale
of their personal information (if applicable)
Generally, provide at least two methods for consumers to submit CCPA requests to the business, including an online
method (e.g., submission of an online form) and a toll-free number
Other California privacy laws ( , the California “Shine the Light Law” and the California Online Privacy Protection Act) currentlyeg
in force impose additional notice obligations, including:
Where any personal information is disclosed to a third party for their own marketing use, a specific notice about such
disclosure ( , in a company’s privacy policy) must be provided and accessible through a special link on their homepage.eg
Further, the law gives California residents to request a list of the personal information and third parties to whom such
information was disclosed for marketing purposes in the prior 12 months
Whether the company honors any do-not-track mechanisms
Under US privacy law such as the CCPA, individuals have rights to request access and deletion of their personal information and
to “opt out” of sales of their personal information. Under the upcoming California (CPRA), Colorado (CPA) and Virginia
(VCDPA) privacy laws, consumers will have additional rights, including the right to correction of their personal information and
the certain rights to opt out of sales, sharing and targeted advertising. Further, these laws require businesses to conduct data
protection or risk assessments before engaging in certain higher-risk processing activities, such as processing that relates to:
Certain unfair or intrusive profiling or targeted advertising purposes
Selling of personal data
Processing sensitive data
Virginia’s law (VCDPA) also requires businesses to establish an internal process whereby consumers may appeal a controller’s
refusal to take action on a privacy request and where the appeal is denied, an online mechanism or other method by which the
consumer can submit a complaint to the Colorado Attorney General
Other states impose a wide range of specific requirements, particularly in the student and employee privacy areas. For example, a
significant number of states have enacted employee social media privacy laws, and, in 2014 and 2015, a disparate array of education
privacy laws. In addition, there a number of sector-specific privacy laws that impose notice obligations, significantly limit permitted
disclosures of personal information, and grant individuals the right to access or review records about the individual that are held
by the regulated entity.
The US also regulates marketing communications extensively, including telemarketing, text message marketing, fax marketing and
email marketing (which is discussed below).
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United States 1110 | | | www.dlapiperdataprotection.com
TRANSFER
There are generally no geographic transfer restrictions that apply in the US, except with regard to storing some governmental
records and information.
SECURITY
Most US businesses are required to take reasonable technical, physical and organizational measures to protect the security of
sensitive personal information ( health or financial information, telecommunications usage information, biometric data, oreg,
information that would require security breach notification). A few states have enacted laws imposing more specific security
requirements for such data.
For example, Massachusetts has enacted regulations that apply to any company that collects or maintains sensitive personal
information ( name in combination with Social Security number, driver’s license, passport number, or credit card or financialeg,
account number) on Massachusetts residents. Among other things, the Massachusetts regulations require regulated entities to
have a comprehensive, written information security program and set forth the minimum components of such program, including
binding all service providers who touch this sensitive personal information data to protect it in accordance with the regulations.
Massachusetts law includes encryption requirements on the transmission of sensitive personal information across wireless
networks or beyond the logical or physical controls of an organization, as well as on sensitive personal data stored on laptops and
portable storage devices.
Some states impose further security requirements on payment card data and other sensitive personal information. In 2019, New
York passed a new law (the New York “SHEILD Act”) setting forth minimum security obligations for safeguarding private
information. The SHIELD Act does not mandate specific safeguards but rather provides that a business will “be deemed to be in
compliance” with the law if it implements a security program that includes elements set forth in the SHIELD Act.
The CCPA provides a private right of action to individuals for certain breaches of unencrypted personal information, which
increases class action risks posed by data breaches.
There are also a number of other sectoral data security laws and regulations that impose specific security requirements on
regulated entities – such as in the financial, insurance and health sectors. Federal financial regulators impose extensive security
requirements on the financial services sector, including requirements for security audits of all service providers who receive data
from financial institutions. For example, the New York Department of Financial Services (NYDFS) regulations impose extensive
cybersecurity and data security requirements on licensees of the NYDFS, which includes financial services and insurance
companies. The national Gramm-Leach-Bliley Act and implementing regulations require financial institutions to implement
reasonable security measures.
HIPAA regulated entities are subject to much more extensive data security requirements. HIPAA security regulations apply to
so-called ‘covered entities’ such as doctors, hospitals, insurers, pharmacies and other healthcare providers, as well as their
‘business associates’ which include service providers who have access to, process, store or maintain any protected health
information on behalf of a covered entity. ‘Protected health information’ under HIPAA generally includes any personally identifiable
information collected by or on behalf of the covered entity during the course of providing its services to individuals.
Internet of Things
California recently enacted the first US Internet of Things (IoT) legislation, effective January 1, 2020. Under SB 327, manufacturers
of most IoT and Bluetooth connected devices will be required to implement reasonable security features ‘appropriate to the
nature and the function of the device and the information the device may collect, contain or transmit’ and ‘designed to protect the
device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.’
BREACH NOTIFICATION
All 50 US states, Washington, DC, and most US territories (including, Puerto Rico, Guam and the Virgin Islands) have passed
breach notification laws that require notifying state residents of a security breach involving more sensitive categories of
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United States 1111 | | | www.dlapiperdataprotection.com
information, such as Social Security numbers and other government identifiers, credit card and financial account numbers, health
or medical information, insurance ID, tax ID, birthdate, as well as online account credentials, digital signatures and/or biometrics.
Under many state laws, where more than 500 individuals are impacted, notice is must also be provided to credit bureaus. Nearly
half of states also require notice to state attorneys general and / or other state officials of certain data breaches. Also, some state
data breach laws impose certain (varying) notice content and timing requirements with respect to notice to individuals and to state
attorneys general and/or other state officials.
Federal laws require notification in the case of breaches of healthcare information, breaches of information from financial
institutions, breaches of telecom usage information held by telecommunication providers, and breaches of government agency
information.
ENFORCEMENT
Various entities enforce US national and state privacy laws. Violations of privacy laws and rules are generally enforced by the FTC,
state attorneys general or the regulator for the industry sector in question. Civil penalties can be significant.
In addition, individuals may bring private rights of action (and class actions) for certain privacy or security violations.
Some privacy laws (for example, credit reporting, marketing and electronic communications, video viewing history, call recording
and cable communications privacy laws) may be enforced through private rights of action, which give rise to class action lawsuits
for significant statutory damages and attorney’s fees, and individuals may bring actions for actual damages from data breaches.
As of January 1, 2020, California law (the CCPA) now provides individuals with a private right of action and statutory damages, in
the event of certain breaches of unencrypted personal information, where a business has failed to implement reasonable data
security procedures (this applies to most categories of personal information under California’s breach notification law) – this
raises significant class action risks.
In June 2018, Ohio became the first US state to pass cybersecurity safe harbor legislation. Under SB 220, a company that has
suffered a data breach of personal information has an affirmative defense if it has ‘created, maintained, and complied with a written
cybersecurity program that contains administrative, technical, and physical safeguards to protect personal information that
reasonably conforms to an industry recognized cybersecurity framework’ ( , PCI-DSS standards, NIST Framework, NIST specialeg
publications 800-171, 800-53, and 800-53a, FedRAMP security assessment framework, HIPAA, GLBA).
ELECTRONIC MARKETING
The US regulates marketing communications extensively, including email and text message marketing, as well as telemarketing and
fax marketing.
The CAN-SPAM Act is a federal law that applies labeling and opt-out requirements to all commercial email messages. CAN-SPAM
generally allows a company to send commercial emails to any recipient, provided the recipient has not opted out of receiving such
emails from the sender, the email identifies the sender and the sender’s contact information, and the email contains instructions
on how the recipient can easily and without cost opt out of future commercial emails from the sender. The FTC and state
attorneys general, as well as ISPs and corporate email systems can sue violators. Knowingly falsifying the origin or routing of a
commercial email message is a federal crime.
Text Messages
Federal and state regulations apply to the sending of marketing text messages to individuals. Express consent is required to send
text messages to individuals, and, for marketing text messages, express written consent is required (electronic written consent is
sufficient, but verbal consent is not). The applicable regulations also specify the form of consent. This is a significant class action
risk area, and any text messaging (marketing or informational) program needs to be carefully reviewed for strict compliance with
legal requirements.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United States 1112 | | | www.dlapiperdataprotection.com
Calls to Wireless Phone Numbers
Similar to text messages, federal and state regulations apply to marketing calls to wireless phone numbers. Prior express consent
is required to place phone calls to wireless numbers using any autodialing equipment, and, for marketing calls, express written
consent is required (electronic written consent is sufficient, but verbal consent is not). The applicable regulations also specify the
form of consent. This is a significant class action risk area, and any campaign or program that involves calls (marketing or
informational) to phone numbers that may be wireless phone numbers needs to be carefully reviewed for strict compliance with
legal requirements. The definition of autodialing equipment is generally considered to, broadly, include any telephone system that
is capable of (whether or not used or configured storing or producing telephone numbers to be called, using a random or
sequential number generator.
Telemarketing
Beyond the rules applicable to text messaging and calling to wireless phone numbers, there are federal and state telemarketing
laws as well. Federal telemarketing laws apply to most telemarketing calls and programs, and state telemarketing law will apply to
telemarketing calls placed to or from within that particular state. As a result, most telemarketing calls are governed by federal law,
as well as the law of one or more states. Telemarketing rules vary by state, and address many different aspects of telemarketing,
such as calling time restrictions, do-not-call registries, opt-out requests, mandatory disclosures, requirements for completing a
sale, executing a contract or collecting payment during the call, further restrictions on the use of auto-dialers and pre-recorded
messages, and record-keeping requirements. Many states also require telemarketers to register or obtain a license to place
telemarketing calls.
Fax Marketing
Federal law and regulations generally prohibit the sending of unsolicited advertising by fax without prior, express consent.
Violations of the law are subject to civil actions and have been the subject of numerous class action lawsuits. The law exempts
faxes to recipients that have an established business relationship with the company on whose behalf the fax is sent, as long as the
recipient has not opted out of receiving fax advertisements and has provided their fax number ‘voluntarily,’ a concept which the
law specifically defines.
The law also requires that each fax advertisement contain specific information, including:
A ‘clear and conspicuous’ opt-out method on the first page of the fax
A statement that the recipient may make a request to the sender not to send any future faxes and that failure to comply
with the request within 30 days is unlawful, and
A telephone number, fax number, and cost-free mechanism to opt-out of faxes, which permit consumers to make opt-out
requests 24 hours a day, seven days a week
Violations are subject to a private right of action and statutory damages, and thus pose a risk of class action lawsuits
ONLINE PRIVACY
There is no specific federal law that regulates the use of cookies, web beacons and other similar tracking mechanisms.per se
However, the state online privacy laws require notice of online tracking and of how to opt out of it.
Under California law, any company that tracks any personally identifiable information about consumers over time and across
multiple websites must disclose in its privacy policy whether the company honors any ‘Do-Not-Track’ method or provides users a
way to opt out of such tracking; however, the law does not mandate that companies provide consumers a ‘Do-Not-Track’ option.
The same law also requires website operators to disclose in their privacy policy whether any third parties may collect any
personally identifiable information about consumers on their website and across other third party websites, and prohibits the
advertising of certain products, services and materials (including alcohol, tobacco, firearms, certain dietary supplements, ultraviolet
tanning, tattoos, obscene matters, etc.). Further, given the CCPA’s broad definition of personal information, information collected
via cookies, online, mobile and targeted ads, and other online tracking are likely to be subject to the requirements of the law.
Further, given the broad definition of personal information under the comprehensive state privacy laws, information collected via
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World United States 1113 | | | www.dlapiperdataprotection.com
cookies and similar technologies is generally subject to the requirements of the law (e.g., notice and consumer rights). For
example, under the CCPA a “sale” includes selling, renting, releasing, disclosing, disseminating, making available, transferring, or
otherwise communicating a consumer’s personal information by one business to another business or a third party for monetary or
other valuable consideration. This broad definition may sweep in certain online advertising activities — for example, where a
business permits the collection and use of information through certain third party cookies and tags on their website, in order to
better target the business’ ad campaigns on third party websites or in exchange for compensation from a third party ad network.
Minors
The Children’s Online Privacy Protection Act and regulations (COPPA) applies to information collected automatically ( , viaeg
cookies) from child-directed websites and online services and other websites, online services and third party ad networks or
plug-ins that knowingly collect personal information online from children under 13. COPPA also regulates behavioral advertising to
children under 13 as well as the collection of geolocation information, requiring prior verifiable parental consent to engage in such
advertising or collection.
California law requires that operators of websites or online services that are directed to minors or that knowingly collect
personally identifiable information from minors permit minors that are registered users of their sites to remove any content the
minor has posted from the site or online service. The law does not give minors the right to remove information posted by third
parties. Minors must be given clear notice on how to exercise their right to removal. Certain state privacy laws (such as the
CCPA, CPA or VCDPA) also require that a business obtain explicit consent prior to selling any personal information about an
individual the business has actual knowledge is under 16 years old.
Location Data
Generally, specific notice and consent in needed to collect precise mobile device) location information.(eg,
KEY CONTACTS
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Andrew Serwin
Partner, Global Co-Chair Data Protection, Privacy and Security Group
T +1 858 677 1418
andrew.serwin@dlapiper.com
Jennifer Kashatus
Partner
T +1 202 799 4448
jennifer.kashatus@dlapiper.com
Kate Lucente
Partner and Co-Editor, Data Protection Laws of the World
T +1 813 222 5927
kate.lucente@dlapiper.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uruguay 1114 | | | www.dlapiperdataprotection.com
URUGUAY
Last modified 15 February 2022
LAW
Data Protection Act Law No. 18.331 (11 August 2008); Decree No. 414/009 (31 August 2009) and Decree 64/2020 (17 February
2020).
DEFINITIONS
Definition of personal data
Any kind of information related to an individual or legal entity identified or identifiable.
Definition of sensitive personal data
Any kind of personal data evidencing: racial or ethnic origin, political preferences, religious or moral beliefs, trade union
membership and any kind of information concerning health or sexual life.
NATIONAL DATA PROTECTION AUTHORITY
(“ ”), (“ ”).URCDP Unidad Reguladora de Control y Actos Personales Data Protection Authority
REGISTRATION
The Uruguayan legal system requires the registration of all databases containing personal data of individuals or legal entities
(Articles 24, 28, and 29 of the Act and Articles 15 to 20 of the Decree 414/009).
The Law applies when the processing of personal data is performed by controllers located in Uruguay.
The Act has extraterritorial effects in the following cases:
if the activities are related to the offer of goods or services to individuals residing in Uruguay, or intended to monitor
their behaviour;
if private international laws or contractual agreements so establish it; and
if the processing is made by using means located in Uruguay, with the exceptions of the cases in which those means are
used for the sole purpose of transit, and there is a person responsible for the processing with residency in Uruguay,
appointed by the controller before the URCDP.
The register must be updated every three months (Article 20 of the Decree 414/009).
DATA PROTECTION OFFICERS
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uruguay 1115 | | | www.dlapiperdataprotection.com
The appointment of a Data Protection Officers (DPO) is mandatory in the following cases: (i) public state or non-state entities, (ii)
private or partially state-owned entities, (iii) private entities which process sensitive data as a core activity, and (iv) private entities
which process large scales of data.
Decree 64/2020 clarifies that large scales of data means the data processing of more than 35,000 subjects.
The DPO must meet the conditions required for the correct performance of his/her duties. He/she must act autonomously in
technical matters.
The appointment of a DPO must be submitted before the URCDP for its approval. If the legal and technical requirements are not
met, the Regulator is entitled to deny or revoke (as the case may be) the filing/authorisation to the appointed DPO.
COLLECTION & PROCESSING
In order to collect the information which is contained in the database, the data processor should obtain prior documented
consent from the individual or entity whose information is being processed. Documented consent is not required in the following
cases:
personal data obtained from public sources;
personal data obtained by public bodies to comply with legal obligations;
personal data limited to domicile, telephone number, ID number, nationality, tax number, corporation name;
personal data obtained in base of a contractual or professional relationship, which is necessary to perform the contract or
the development of the professional services to be rendered; and
personal data obtained by individuals or corporations for their personal and exclusive use.
The personal data processed cannot be used for purposes different from those that have justified the acquisition of the
information. It is understood that legitimate reasons (i.e. reasons which are not against the law) must pre exist and underlay the
processing of the personal information. The Data Protection Act further establishes that once the reasons to process the personal
information have disappeared, the personal information must be deleted.
TRANSFER
Personal data can only be transferred to a third party:
for the compliance of purposes directly related to the legitimate interest of the transferring party and the transferee; and
with the previous consent of the data subject (i.e. the individual whose data is being transferred). Such consent may be
revoked. Additionally, the data subject must be informed of the purpose of the transfer as well as of the identity of the
transferee.
The previous consent of the data subject would not be necessary when the individual’s data to be transferred is limited to: name,
surname, identity card number, nationality, address, and date of birth.
The purpose and proper identification of the transferee must be included in the consent communication that would be addressed
to the data subject. Evidence of the data subject’s consent must be kept in the files of the data processor.
If the data subject’s consent is not obtained within ten business days (counted from the receipt of the communication from the
data processor asking for the consent), it will be construed that the data subject did not consent to the transfer of the data.
Upon the transfer, the data processor will remain jointly and severable liable for the compliance of the transferee obligations
under the Data Protection Act.
The Data Protection Act forbids the transfer of personal data to countries or international entities which do not provide adequate
levels of data protection (according to URCDP). However, the Data Protection Act allows international transfer to unsafe
countries or entities, when the data subject consents to the transfer (such consent must be given in writing), or when the
guarantees of adequate protection levels arise from “contractual clauses”, and “self regulation systems”. The international data
transfer agreement must establish the same levels of protection which are effective under the laws of Uruguay.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uruguay 1116 | | | www.dlapiperdataprotection.com
In the case of a crossborder transfer within a group of companies, Uruguayan laws establish that the international transfer will be
lawful without any authorisation whenever the branch has the same conduct code duly registered before the local URCDP.
The international transfer of personal data between headquarters and their respective branches or subsidiaries is authorised when
the headquarters and their branches have a conduct code duly filed before URCDP.
SECURITY
The data processor must implement appropriate technical and organisational measures to guarantee the security and
confidentiality of the personal data. These measures should be aimed at avoiding the loss, falsification, nonauthorised treatment or
inquiry, as well as at detecting information that may have been leaked, performed by human intervention or not.
It is forbidden to register personal data in databases which do not meet technical safety conditions.
BREACH NOTIFICATION
Data breaches and data incidents must be reported to the URCDP and to the Data Subject.
Once the DPO or the Data Controller confirms the occurrence of a security breach, it must be notified to the URCDP within 72
hours.
Notification to data subjects must be done once the DPO or the Data Controller confirms the occurrence of a security breach.
The Uruguayan Data Privacy Act requires the notification to be effected “as soon as practicable”, but fails to spell out a precise
time frame for such notice.
Legal requirement of the data breach/incident
Notification to the Regulator must contain relevant information, including the:
certain or estimated date of the occurrence of the breach;
main characteristics of the breach;
details of the data affected; and
the possible impacts.
The regulation does not state any formalities to the communication to the Data subject. However, it states that such
notification must be clear and simple.
After the first notification to the Regulator within the first 72 hours after the Data Breach/incident, a second communication must
be done by the DPO or the Data Controller to the Regulator. The second report must indicate all the details of what happened
and the measures that were adopted and carried out so that such violation/incident has been mitigated and does not occur again.
The Act does not state a time frame for execution of the second report.
ENFORCEMENT
The URCDP is responsible for the enforcement of the Data Protection Act. In the context of its powers, the URCDP is entitled
to:
request the data processor the exhibition of books, documents and files, electronic or not;
summon the data processor before the URCDP in order to provide information;
intervene in the documents and files inspected;
adopt security or protection measures in order to preserve the documentation, including copying the files;
seize or impound the documents and files for six days;
carry out inspections on data processor’s offices;
summon third parties to appear before the URCDP.
The URCDP has the authority to impose penalties against the data processor in the following order: warning, admonition, fines up
to USD 60,000, suspension of the data base during five days, and closure of the database.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uruguay 1117 | | | www.dlapiperdataprotection.com
ELECTRONIC MARKETING
The Act will apply to most electronic marketing activities, as these activities likely involve the processing and use of personal data
(e.g. an email address is likely to be “personal data” for the purposes of the Act). The Act does not prohibit the use of personal
data for the purposes of electronic marketing but grants personal data owners with the right to demand the elimination or
blocking of their data from the data base.
Personal data can be used and processed for marketing purposes when it has been taken from public documents, when it has been
provided by the personal data owner or when prior consent has been gathered.
ONLINE PRIVACY
There are not express provisions in this respect, therefore, the general principles apply: the personal data processed cannot be
used for purposes different from those that have justified the acquisition of the information; when the reasons to process the
personal information have disappeared, the personal information must be deleted.
KEY CONTACTS
Bergstein Abogados
www.bergsteinlaw.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Jonás Bergstein
Partner
Bergstein Abogados
jbergstein@bergsteinlaw.com
Santiago Di Bello
Senior Associate
Bergstein Abogados
T (598) 2 901 2448
sdibello@bergsteinlaw.com
Guzman Ramírez
Senior Associate
Bergstein Abogados
T (598) 2 901 2448
gramirez@bergsteinlaw.com
https://www.dlapiperdataprotection.com
http://www.bergsteinlaw.com/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uzbekistan 1118 | | | www.dlapiperdataprotection.com
UZBEKISTAN
Last modified 21 February 2022
LAW
Until recently, Uzbekistan did not have a stand-alone personal data protection law. The situation changed with the adoption on 2
July 2019 of the Law of the Republic of Uzbekistan No. ZRU-547 “On Personal Data” (“ ”), whichLaw on Personal Data
entered into force on 1 October 2019.
With the entry into force of the Law on Personal Data, a unified set of main rules and requirements in the area of data protection
and processing that is aimed at substantial regulation of these issues was introduced in Uzbekistan.
The scope of application of this Law is rather broad, as it applies to relations arising from processing and protection of personal data,
.regardless of the applied means of processing, including information technologies
Apart from the Law on Personal Data, there are certain legal acts that establish fundamental principles of data protection
processing and / or set liability for violation of data protection rules. They include:
Constitution of the Republic of Uzbekistan entered into force on December 8, 1992;
Civil Code of the Republic of Uzbekistan entered into force on 1 March 1997;
Labour Code of the Republic of Uzbekistan entered into force on 1 April 1996;
Code of the Republic of Uzbekistan on Administrative Liability entered into force on 1 April 1995 (‘Code on
Administrative Liability’);
Criminal Code of the Republic of Uzbekistan entered into force 1 April 1995 (‘Criminal Code’);
Law No. 439-II ‘On Principles and Guarantees of Freedom of Information’ dated December 12, 2002;
Law No. 560-II ‘On Informatization’ dated December 11, 2003.
Lastly, there are also sector-specific laws applicable depending on the type of industry. Data protection regulation exists mainly in
financial, telecommunication, health and insurance sectors and consists of the following legal acts:
Law No. 530-II ‘On Bank Secrecy’ dated August 30, 2003, under which a bank is prohibited to disclose bank secrecy, and
should guarantee its protection
Law No. 822-I ‘On Telecommunications’ dated August 20, 1999, under which all operators and service providers are
obliged to ensure the secrecy of communications
Law No. 265-I ‘On Protection of Citizens’ Health’ dated August 29, 1996, under which the medical secrecy is protected
Law No. 358-II ‘On Insurance Activities’ dated April 5, 2002, under which insurance companies should guarantee the
confidentiality of information which became available in course of provision of insurance services.
DEFINITIONS
Definition of personal data
The Law on Personal Data defines as information recorded on electronic, paper and / or other tangible medium,Personal Data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uzbekistan 1119 | | | www.dlapiperdataprotection.com
relating to a specific individual or that allows the means to identify such individual (i.e. ‘ ’).subject of personal data
Apart from the above, the Law on Personal Data distinguishes separate types of personal data in respect of which the Law
imposes a special processing and protection regime. They include:
special personal data, i.e. data about racial or social origin, political, religious or ideological beliefs, membership in
political parties and trade unions, as well as data regarding physical or mental health, information about private life and
criminal records;
biometric personal data, i.e. personal data characterizing anatomical and physiological characteristics of the subject of
personal data;
genetic personal data, i.e. personal data related to the inherited or acquired characteristics of the subject of personal
data, which is the result of the analysis of the biological sample of the subject or the analysis of another element that
allows to obtain equivalent information.
Definition of sensitive personal data
The Law on Personal Data does not provide for an express definition of sensitive personal data. Yet, it distinguishes the category
of . Under the foregoing Law, special personal data includes:special personal data
data about racial or social origin;
data about political, religious or ideological beliefs;
data about membership in political parties and trade unions;
data about physical and mental health;
data about private life and criminal records.
NATIONAL DATA PROTECTION AUTHORITY
The Law on Personal Data designates the Cabinet of Ministers of the Republic of Uzbekistan (the ‘ ‘) andCabinet of Ministers
State Personalization Center under the Cabinet of Ministers (‘ ’) as the main regulatoryState Personalization Centre
authorities in respect of the protection of personal data.
Additionally, following the latest amendments to Resolution of the Cabinet of Ministers of the Republic of Uzbekistan No. 707
“On Measures for Further Improvement of Information Security in Internet” dated 5 September 2018 (“ ”)Resolution No. 707
adopted in pursuance of the recently introduced localization requirement, the State Inspection of the Republic of Uzbekistan on
Informatization and Telecommunication was designated as a state authority empowered, , to:inter alia
implement the state control over the activity of personal database owners and operators by monitoring their activities;
issue notifications, instructions, as well as orders that are to be fulfilled by public authorities, individuals and/or legal
entities, in order to ensure compliance with the data protection laws;
maintain the Register of Infringers of the Rights of Personal Data Subjects.
REGISTRATION
The Law on Personal Data requires a personal data database to be registered with the State Registry of Personal Databases
maintained by the State Personalization Centre. The registration should represent a simple notification with the State
Personalization Centre.
The registration is performed by an owner / operator of personal database by way of notification, i.e. by approaching the Sate
Personalization Centre in person or via its website ( ).Government registry for personal databases
The registration procedure for personal database is mainly set forth by the Regulation on the State Register of Personal Databases,
approved by the Resolution of the Cabinet of Ministers of the Republic of Uzbekistan No. 71 dated 8 February 2020 (“
”).Regulation No. 71
Under Regulation No. 71, to register a personal database, an owner / operator of personal data is required to fill and submit the
https://www.dlapiperdataprotection.com
https://pd.gov.uz/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uzbekistan 1120 | | | www.dlapiperdataprotection.com
application as per the prescribed form to the State Personalization Centre. In its turn, State Personalization Centre shall review
the submitted application within 15 days from the date of its receipt. Based on the results of such review, the State Personalization
Centre either agrees or refuses to register the database. In case of a positive decision, the State Personalization Centre issues a
certificate on registration of a personal database to an owner / operator of personal data.
The registration is not required for databases containing personal data:
relating to participants / members of a public association or religious organization and processed accordingly by a public
association or religious organization, provided that personal data will not be distributed or disclosed to third parties;
made by the subject of personal data publicly available;
that constitutes only last name, first name and patronymic of the subject of personal data;
necessary for the purposes of a single access authorization of the subject of personal data to the territory where the
owner and / or operator is located, or for other similar purposes;
included in personal data information systems with the status of state automatized information systems;
processed without the use of automation technology;
processed in accordance with labor laws.
DATA PROTECTION OFFICERS
According to the Law on Personal Data, government bodies, legal entities and individuals processing personal data (i.e. operators
) or having the right to use and dispose personal data (i.e. ) must designate aof personal data owners of personal data
structural unit or a responsible person that has to organize work with respect to personal data protection in the course of its
processing.
COLLECTION & PROCESSING
Under the Law on Personal Data, processing of personal data includes actions with respect to:
collection;
systematization;
storage;
modification;
addition;
use;
provision;
dissemination;
transfer;
depersonalization;
destruction.
Further, the Law on Personal Data stipulates 7 grounds / conditions for processing of personal data, as follows:
upon the subject’s consent to processing of his / her personal data;
when processing of the subject’s personal data is necessary to fulfill the agreement to which the subject is a party to, or to
take measures at the request of the subject before concluding such agreement;
when processing of the subject’s personal data is required for fulfillment of obligations of the owner and / or operator as
defined by law;
when processing of the subject’s personal data is necessary for protection of legitimate interests of the subject or other
person;
when processing of the subject’s personal data is required to exercise the rights and legitimate interests of the owner and
/ or operator or a third party, or in order to achieve socially significant goals, provided that the subject’s rights are not
violated;
when processing of the subject’s personal data is necessary for statistical or other research purposes, under the
mandatory condition of depersonalization of personal data;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uzbekistan 1121 | | | www.dlapiperdataprotection.com
if the subject’s personal data is taken from public sources.
Processing of personal data should pursue a certain purpose. This purpose should be fixed in legal acts, regulations, charter or
other documents regulating the activities of the owner / operator of personal data. That said, the owner / operator should specify
in its foundation documents or other internal documents (e.g. data privacy policy etc.) the purpose of data processing. Whenever
the purpose of these operations changes, a new consent from the subject to conduct operations over the personal data related to
them in line with such new purpose must be obtained.
In order to achieve the intended purpose of personal data processing, the owner / operator has the right to independently
determine the procedure and principles of collection and systematization of personal data. Therefore, the volume and the nature
of personal data to be processed should correspond to the purpose and applied methods of processing.
According to the Law on Personal data, the owner / operator may assign the processing of personal data to third parties in the
following cases:
upon the subject’s consent obtained in a written form or in the form of an electronic document;
if such assignment is made based on an agreement between the owner and the subject of personal data or for the
fulfillment of the conditions of an existing agreement;
other cases stipulated by law.
In processing the personal data, the owner / operator must comply with notification requirements set by the Law on Personal
Data. Under the foregoing Law, the owner / operator must notify the subject:
on inclusion of the subject’s personal data into the personal database along with informing the subject on purpose of
personal data processing and the subject’s respective rights. The period of notification is not defined by the Law on
Personal Data;
on transfer of the subject’s data to third parties. Such notification must be provided within a 3-day period;
upon the subject’s application. Under the Law on Personal Data, the subject has the right to request the owner / operator
to provide him / her with information about processing of his / her data.
Upon achievement of the processing purpose, as well as in other cases stipulated by the Law on Personal Data (e.g. withdrawal of
the subject’s consent, decision of the court etc.) personal data is subject to destruction by the owner / operator.
Along with the above, on 15 January 2021 data localization requirement was introduced to the Law on Personal Data that came
into force on 16 April 2021. Under this requirement the personal data of Uzbek citizens processed with the use of information
technologies, including via the Internet, must be collected, systematized and stored on technical means physically located on the
territory of Uzbekistan and in databases duly registered in the State Register of Personal Databases.
TRANSFER
The Law on Personal Data defines the cross-border transfer of personal data as the transfer of personal data by the owner /
operator outside the territory of the Republic of Uzbekistan. Cross-border transfer of personal data is allowed only to the
territory of foreign states providing adequate protection of the rights of personal data subjects. At present, it is unclear which
states will qualify as providing “adequate” protection.
Nevertheless, cross-border transfer of personal data is still possible even if the foreign state does not provide the adequate
protection. Such transfer is possible in 3 exceptional cases:
the subject explicitly agrees to such transfer;
there is a need to protect the constitutional order of Uzbekistan, the public order, rights and freedoms of citizens, health
and morality of the population;
if such transfer is stipulated by the international treaty of Uzbekistan.
The Law on Personal Data also determines that cross-border transfer of personal data may be prohibited or restricted in order to
protect the constitutional order of the Republic of Uzbekistan, morality, health, rights and legitimate interests of citizens, and to
secure defense of the country and national security.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uzbekistan 1122 | | | www.dlapiperdataprotection.com
SECURITY
The Law on Personal Data states that personal data is subject to the protection guaranteed by the State. It also imposes
obligations on the owner / operator of personal data and the third party acquiring personal data to take necessary legal,
organizational and technical measures ensuring:
non-interference into the subject’s private life;
integrity and safety of personal data;
confidentiality of personal data;
prevention of illegal processing of personal data.
The Law on Personal Data does not envisage the precise types and content of such measures. Yet, it authorizes the Cabinet of
Ministers to define the requirements for protection of personal data during the processing and requirements for material carriers
of biometric and genetic data for storing such data outside personal databases. There is no information with regards to the
scheduled date of adoption of the above requirements. Until that moment, the owner / operator of personal data should
determine such measures independently provided they are in line with data protection laws.
Obligations of the owner / operator of personal data on protection of confidentiality of personal data arise from the moment such
data is collected until their destruction or depersonalization.
BREACH NOTIFICATION
There is no requirement on breach notification under the Law on Personal Data. However, in case of violation of data processing
rules ( unauthorized data processing), the owner / operator of personal data must suspend processing of personal data ore.g.
destroy them.
ENFORCEMENT
Following the adoption of the Law on Personal Data, a number of amendments aimed at enforcing data protection rules, were
introduced into the Code on Administrative Liability and Criminal Code.
Currently, under the Code of Administrative Liability illegal collection, systematization, storage, modification, addition, use,
provision, dissemination, transfer, depersonalization and destruction of personal data leads to the imposition of a fine on citizens
for up to 5 base calculation values (‘ ’) (approx. USD 125) and on officials – for up to 10 BCU (approx. USD 250).BCV
Repeated violation of data protection rules can lead to criminal liability. Under the Criminal Code illegal processing of personal
data leads to the fine for up to 50 BCU (approx. USD 1,250) or deprivation of a certain right for up to 3 years or correctional
labour for up to 2 years.
Along with the above, following the latest amendments introduced into the Code on Administrative Liability and Criminal Code,
starting from 30 January 2022 penalties for violations of the Law on Personal Data shall increase as follows:
administrative liability for illegal processing of personal data, as well as non-compliance with the localization requirement
will lead to imposition of an administrative fine on citizens in the amount of 7 BCV (approx. USD 175) and on officials – in
the amount of 50 BCV (approx. USD 1,250).
criminal liability for repeated violations of data protections rules committed after the imposition of an administrative fine
will be punished by the fine in the amount from 100 BCV to 150 BCV (approx. from USD 2,500 to USD 3,750), or
deprivation of a certain right for up to 3 years, or correctional labour for up to 2 years.
Furthermore, under Resolution No. 707, non-compliance with localization requirement leads to inclusion of an owner / operator
of personal data into the Register of Infringers of the Rights of Personal Data Subjects and blocking access to the information
resources (web-sites) of an owner / operator of personal data in Uzbekistan.
Apart from the above, the State Personalization Centre can issue binding orders to legal entities and individuals on elimination of
violations of data protection requirements.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Uzbekistan 1123 | | | www.dlapiperdataprotection.com
ELECTRONIC MARKETING
The Law No. ZRU-385 of the Republic of Uzbekistan ‘On E-Commerce’ (new version) dated May 22, 2015 contains a provision on
the use of personal data in e-commerce and electronic marketing. It requires obtaining prior consent of a data subject for
distribution of the offer and advertising, including through mass distribution of electronic messages.
The Law on Personal Data does not specifically regulate the use of personal data in electronic marketing. However, considering
that the Law on Personal Data applies to any processing of personal data this Law will also cover processing of personal data in
electronic marketing.
ONLINE PRIVACY
Current data protection laws do not provide for regulation of online privacy. However, if personal data is involved and privacy
issues are concerned, there are no obstacles for their application with respect to online privacy.
KEY CONTACTS
Centil Law Firm
centil.law/#
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Dilshad Khabibullaev
Partner
Centil Law Firm
T +998711204778
dilshad.k@centil.law
Valeriya Ok
Senior Associate
Centil Law Firm
T +998711204778
valeriya.ok@centil.law
Sabina Saparova
Senior Associate
Centil Law Firm
T +998711204778
sabina.saparova@centil.law
Ibrokhim Musakhodjaev
Junior Associate
Centil Law Firm
T +998711204778
ibrokhim.musakhodjaev@centil.law
https://www.dlapiperdataprotection.com
http://centil.law/#
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Venezuela 1124 | | | www.dlapiperdataprotection.com
VENEZUELA
Last modified 22 December 2021
LAW
There is no specific legislation about data privacy or data protection in Venezuela, however, there are isolated provisions in some
existing laws that regulate certain aspects related to data protection.
Likewise, the Constitution of the Bolivarian Republic of Venezuela (the establishes general principles that serve”Constitution”)
as a framework for the protection of information. These principles were developed by decision No. 1318 of the Supreme Court of
Justice (“TSJ” for its Spanish acronyms) of August 2011, guarding the honour, privacy, intimacy, self-image, confidentiality, and
reputation of individuals. The principles are:
Principle of free will, which implies the need of a prior, free, informed, unequivocal and revocable consent for the use, and
collection of personal data.
Principle of legality, according to which the collection of personal data entails that the limitation to information
self-determination
is a result of a legal provision.
Principle of purpose and quality, which means that the collection of personal data must respond to predetermined
purposes, motives, or causes that are not contrary to constitutional and legal provisions, also a prerequisite to obtain valid
consent. Data can only be extracted and treated for the fulfilment of specific, explicit, and legitimate purposes related to
the activity of those who get them. This principle entails the necessary proportionality in the collection of data, which
must be adequate, relevant, and not excessive.
Principle of temporality or conservation, under which the data should be preserved until the purposes or objectives that
its collection are achieved.
Principle of accuracy and self-determination, which means that the data must be complete, accurate and up to date, in
response to the real situation of the person as the data may be subject to control by the individuals whose data is
collected. The interested party must have clear and expeditious procedures to obtain from the person responsible for the
use or receipt of the information: the confirmation of the use of data; the purposes of such registers and its recipients; the
rectification or cancellation of inaccurate, inadequate, or excessive data, and; the knowledge of such modifications by
those whose wrong information has been communicated.
Principle of foreseeability and integrity: Although the rights relating to the collection of information should be initially
aimed at protecting the rights of the individuals whose information is collected, the analysis of the impact that the
collection of data has on such rights cannot be isolated and without reference to data that may be collected in other
registries.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Venezuela 1125 | | | www.dlapiperdataprotection.com
Principle of security and confidentiality, which implies the guarantee of confidentiality, of no alteration of data by third
parties, and of access to such data by the competent authorities in accordance with the law. The data must be protected
from alteration, loss, accidental destruction, unauthorised access, or fraudulent use. This protection goes as far as
preventing international data transfers to States whose legislation does not guarantee a level of protection similar to the
one described.
Principle of guardianship, which means that in addition to having judicial protection to enforce the right to access the
information and obtain knowledge of the use of the personal data, there should be public entities that ensure the right to
the protection of personal data with powers to create or implement simplified models and based on technical standards to
measure the level of efficiency of the structures and procedures in place and the level of protection of the personal data.
Principle of liability, under which a violation of the right to the protection of personal data gives rise to liability and the
imposition of civil, criminal, and administrative penalties, as the case may be.
Also, Article 28 CRBV sets the right for individuals to access their personal information stored in public or private records, to
know for what use such information will be recorded, and, rectify or destroy it when incorrect or when it unlawfully affects their
rights. Although there is no legal regulation in this regard, the TSJ has agreed to the possibility of maintaining this information and
personal data in systems or records, stored in a way that a profile of them can be done with the purpose of using the information
for personal gain or for third parties, as long as the rights set in Article 28 CRBV are respected. According to this Article, a double
right is guaranteed: (i) to collect information about people and their goods, and (ii) access to such information that has been
collected and is reflected in the records. However, whoever collects the information or data of the individuals or their goods, shall
respect the right of the people to protect their honour, privacy, intimacy, self-image, confidentiality, and reputation, all of this
provided in Article 60 CRBV.
Additionally, the decision also stipulates that the particular data that someone keeps for study purposes, or for personal use or to
fulfill professional objectives, which do not form a system capable of designing a total or partial profile of individuals are not subject
to these principles, since they lack a general projection. However, records that, when cross-referenced with others, make it
possible to outline a profile of the private life of individuals, or of their economic situation, political tendencies, etc., could be part
of the records protected by the Constitution. The mere potential of intersecting and complementing the data of a registry, with
the information stored in others that complete it, makes the set of records susceptible to the rights referred to in article 28 of the
Constitution.
DEFINITIONS
Definition of Personal Data
There is no legal definition of “Personal Data” in Venezuelan legislation.
Nonetheless, decision No. 855 of the TSJ, of May 8, 2012, gave us the following definition of Personal Data: “Any information related
to an identified or identifiable individual”.
Likewise, any Personal Data must be processed fairly and responsibly for particular purposes, on the basis of the data subject’s
consent or as a consequence of some other legitimate basis, provided by law.
Definition of Sensitive Personal Data
There is no legal definition of “Sensitive Personal Data” in Venezuelan legislation.
However, in decision No. 1335 of the TSJ, of August 8, 2011, in a case on the sensitive and personal data in a medical record, the
TSJ expressed that any such data must be handled under the strictest confidentiality and privacy controls, and its content must not
be disclosed.
The decision says that sensitive and personal data is a person’s most genuine and authentic assets, and, as such, is the absolute
owner and holder of all that information, only that person can grant permission for its use and treatment.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Venezuela 1126 | | | www.dlapiperdataprotection.com
Under this decision, we can conclude that any person’s intimate data can also be considered to be Sensitive Personal Data, and, as
such, must be confidential, be duly guarded and only that person can grant permission for its use and treatment.
NATIONAL DATA PROTECTION AUTHORITY
There is no National Data Protection Authority in Venezuela.
REGISTRATION
There is no legal requirement to register before any National Data Protection Authority.
DATA PROTECTION OFFICERS
There is no legal requirement to appoint a Data Protection Officer.
COLLECTION & PROCESSING
The collection and processing of Personal Data must adhere to the previously explained general principles dictated by the
Constitutional Chamber of the TSJ.
TRANSFER
According to the general principles dictated by the TSJ, there is a protection against the transfer of data to States whose legislation
does not guarantee a level of protection similar to the one described.
In addition, in terms of labor law, the employee’s consent is required to transfer personal data to third parties. There are
companies that voluntarily develop their own data protection policies or apply their headquarters policies or international
standards for this matter.
SECURITY
According to the general principles dictated by the Constitutional Chamber of the TSJ, there is a guarantee of confidentiality, of no
alteration of data by third parties, and of access to such data by the competent authorities in accordance with the law. The data
must be protected from alteration, loss, accidental destruction, unauthorised access, or fraudulent use.
BREACH NOTIFICATION
There is no legal obligation to disclose a data breach.
Mandatory Breach Notification
It is not mandatory to disclose a data breach.
ENFORCEMENT
When it comes to labor matters and records of employees, the Organic Law on Prevention, Conditions and Working
Environment (” ” for its Spanish acronym) sets forth in Article 53 the following rules on certain data and privacyLOPCYMAT
protection:
Section 10: the right of the employees to access information contained on health screenings, as well as the confidentiality
of the results with respect to third parties. (According to Article 27 of the LOPCYMAT, disclosure of health results to
certain third parties is permitted with the employee’s consent. Also, per Article 119 of the LOPCYMAT, failure to comply
with the obligation of section 10 may result in a fine ranging from 26 to 75 tax units (” “) for each worker exposed.T.U.
Section 11: the confidentiality of employees’ personal health data. (According to Article 120 LOPCYMAT, failure to
comply with the obligation of section 11 may result in a fine ranging from 76 to 100 T.U. for each worker exposed.
Section 16: the privacy of employee’s correspondence and communications, as well as free access to all data and
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Venezuela 1127 | | | www.dlapiperdataprotection.com
information relating to the employee.
The fines or sanctions for non-compliance according to LOPCYMAT are:
Article 27: disclosure of health results to certain third parties is permitted with the employee’s consent.
In addition, per Article 119, failure to comply with the obligation of section 10 may result in a fine ranging from 26
to 75 T.U. for each worker exposed.
Article 120: failure to comply with the obligation of section 11 may result in a fine ranging from 76 to 100 T.U. for
each worker exposed.
ELECTRONIC MARKETING
Electronic Marketing is allowed, but any collection and processing of Personal Data must adhere to the previously explained
general principles dictated by the TSJ.
ONLINE PRIVACY
There is no specific legislation about online privacy in Venezuela, but we advise to adhere to the previously explained general
principles dictated by the TSJ if there is going to be any processing or collection of Personal Data.
KEY CONTACTS
InterJuris Abogados S.C
interjuris.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Maria Cecilia Rachadell
Partner
InterJuris Abogados S.C
T +13059271390
maria.rachadell@interjuris.com
Juan José Delgado
Partner
InterJuris Abogados S.C
T +13057971121
juanjose.delgado@interjuris.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Vietnam 1128 | | | www.dlapiperdataprotection.com
VIETNAM
Last modified 10 January 2022
LAW
There is not a single comprehensive data protection law in Vietnam. Instead, regulations on data protection and privacy can be
found in various legal instruments. The right of privacy and right of reputation, dignity and honour and fundamental principles of
such rights are currently provided for in Constitution 2013 (“ ”) and Civil Code 2015 (“ ”) as inviolableConstitution Civil Code
and protected by law.
Regarding personal information, the key principles on collection, storage, use, process, disclosure or transfer of personal
information are specified in the following main laws and guiding documents, among others:
Criminal Code No. 100/2015/QH13, passed by the National Assembly on 27 November 2015; as amended from time to
time (“ ”);Criminal Code
Law No. 24/2018/QH14 on Cybersecurity, passed by the National Assembly on 12 June 2018 (“ ”);Cybersecurity Law
Law No. 86/2015/QH13 on Network Information Security, passed by the National Assembly on 19 November 2015; as
amended by Law No. 35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of
37 Laws (“ ”);Network Information Security Law
Law No. 59/2010/QH12 on Protection of Consumers’ Rights, passed by the National Assembly on 17 November 2010; as
amended by Law No.35/2018/QH14 dated 20 November 2018, on amendments to some articles concerning planning of
37 Laws (“ ”);CRPL
Law No. 67/2006/QH11 on Information Technology, passed by the National Assembly on 29 June 2006; as amended by
Law No. 21/2017/QH14 dated 14 November 2017 on planning (“ ”);IT Law
Law No. 51/2005/QH11 on E-transactions, passed by the National Assembly on 29 November 2005 (“E-transactions
”);Law
Decree No. 85/2016/ND-CP dated 1 July 2016, on the security of information systems by classification (“ ”);Decree 85
Decree No. 72/2013/ND-CP dated 15 July 2013 of the Government, on management, provision and use of Internet
services and online information; as amended by Decree No. 27/2018/ND-CP dated 1 March 2018 and Decree
No.150/2018/ND-CP dated 7 November 2018 (“ ”);Decree 72
Decree No. 52/2013/ND-CP dated 16 May 2013 of the Government; as amended by Decree No. 08/2018/ND-CP dated
15 January 2018, on amendments to certain Decrees related to business conditions under state management of the
Ministry of Industry and Trade and Decree No. 85/2021/ND-CP dated 25 September 2021 (“ ”);Decree 52
Decree No. 15/2020/ND-CP of the Government dated 3 February 2020 on penalties for administrative violations against
regulations on postal services, telecommunications, radio frequencies, information technology and electronic transactions
(“ ”);Decree 15
Circular No. 03/2017/TT-BTTTT of the Ministry of Information and Communications dated 24 April 2017 on guidelines
for Decree 85 (“ ”);Circular 03
Circular No. 20/2017/TT-BTTTT dated 12 September 2017 of the Ministry of Information and Communications, providing
for Regulations on coordinating and responding to information security incidents nationwide (“ ”);Circular 20
Circular No. 38/2016/TT-BTTTT dated 26 December 2016 of the Ministry of Information and Communications, detailing
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Vietnam 1129 | | | www.dlapiperdataprotection.com
cross-border provision of public information (“ ”);Circular 38
Circular No. 24/2015/TT-BTTTT dated 18 August 2015 of the Ministry of Information and Communications, providing for
the management and use of Internet resources, as amended by Circular No. 06/2019/TT-BTTTT dated 19 July 2019 (“
”); andCircular 25
Decision No. 05/2017/QD-TTg of the Prime Minister dated 16 March 2017 on emergency response plans to ensure
national cyber-information security (“ ”).Decision 05
Each aspect and each industry may have their respective regulating documents. In other words, applicability of legal documents will
depend on the factual context of each case, e.g businesses in the banking and finance, education, healthcare sectors may be subject
to specialized data protection regulations, not to mention to regulations on employees’ personal information as provided in
Labour Code 2019 (“ ”).Labour Code
The most important Vietnamese legal documents regulating data protection are the Cybersecurity Law and Network Information
Security Law. However, it is worth noting that, unlike cybersecurity laws in other jurisdictions that were inspired by the GDPR of
the EU, the Cybersecurity Law of Vietnam shares similarities with China’s Cybersecurity Law enacted in 2017. Such law focuses on
providing the government with the ability to control the flow of information; meanwhile, the Network Information Security Law
enforces data privacy rights for individual data subjects.
A draft Decree detailing a number of articles of the Cybersecurity Law (“ ”), notably includingDraft Cybersecurity Decree
implementation guidelines for data localization requirements, together with a draft Decree detailing the order of and procedures
for application of a number of cybersecurity assurance measures and a draft Decision of the Prime Minister promulgating a List of
information systems important for national security, are being prepared by the Ministry of Public Security (“ ”) in coordinationMPS
with other relevant ministries, ministerial-level agencies and bodies.
MPS has drafted a Decree on personal data protection (“ ”), which is contemplated to consolidate all data protectionDraft PDPD
laws and regulations into one comprehensive data protection law as well as make significant additions and improvements to the
existing regulations. The Draft PDPD was released for public comments in February 2021 and was originally scheduled to take
effect by December 2021. However, due to the extreme sensitivity of the issues intended to be regulated by the Draft PDPD
(including the data localization requirement and regulatory approval for sensitive data processing), the Draft PDPD received
immense negative comments from the public and foreign governments. Thus, its finalization process has taken much longer than
the MPS first anticipated. As of January 2022, the Draft PDPD still has not been finalized or submitted to the government and
National Assembly for final approval. It is anticipated that the Draft PDPD might be finalized and take effect within 2022.
DEFINITIONS
Definition of personal data
There is no single, pervasive definition of personal data in Vietnam, but the concept of personal information, definition thereof and
its variations can be found in the various laws, regulations and guidance that comprise the data protection framework in Vietnam.
In summary, personal information is generally defined as information associated with the identification of a specific person, e.g. full
names, date of birth, profession, title, contact addresses, email addresses, telephone numbers, ID numbers, passport numbers.
Definition of sensitive personal data
Currently, there is no particular definition of ‘sensitive personal data’ specified in the laws of Vietnam, except for highly controlled
industries such as banking and finance.
However, under the Draft PDPD, ‘personal data’ is proposed to be defined as data about individuals or relating to the
identification or ability to identify a particular individual. Personal data would be categorized into two groups: (a) basic personal
data, and (b) sensitive personal data:
Basic personal data is defined to include: (i) surname, middle name, birth name, alias (if any); (ii) date of birth; (iii) date of
death or date of going missing; (iv) blood type and gender; (v) place of birth, place of birth registration, permanent
residence, current residence, hometown, contact address, email address; (vi) education; (vii) ethnicity; (viii) nationality; (ix)
phone number; (x) ID card number, passport number, citizen identification number, driver’s license number, plate number,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Vietnam 1130 | | | www.dlapiperdataprotection.com
personal tax identification number, social insurance number; (xi) marital status; and (xii) data reflecting online activities or
activity history.
Sensitive personal data is defined to include: (i) personal data on political and religious views; (ii) personal health data, i.e.
information related to the physical or mental health status of the data subject collected and identified during the process
of registration or provision of medical services; (iii) personal genetic data, i.e. information relating to inherited or acquired
genetic characteristics of each individual; (iv) personal biometric data, i.e. information about physical and biological
characteristics of each individual; (v) personal data on gender status, i.e. information about people identified as male,
female, gender neutral, androgynous, or having both masculine and feminine characteristics or self-identifying a different
gender from the gender identified at birth; (vi) personal data about life and sexual orientation; (vii) personal data about
criminals and criminal acts collected and stored by law enforcement agencies; (viii) personal financial data, i.e. information
used to identify an account, card or payment instrument provided by a financial institution to a data subject or information
about the relationship between a financial institution, original financial data and data subjects, including records, financial
status, credit history, and income level; (ix) personal location data, i.e. information about the individual’s previous and
current physical location; (x) personal data about social relationships; and (xi) other personal data as specified by law to be
special and subject to confidentiality protection.
NATIONAL DATA PROTECTION AUTHORITY
Vietnam does not have a single national data protection authority. Instead, the authority on State management of certain aspects of
information and / or data protection has been given to a number of competent State authorities. To some extent, the key State
competent authorities in charge of information and/or data protection would be the Ministry of Information and Communications
(“ ”), the MPS and the Vietnam Cybersecurity Emergency Response Teams / Coordination Center (“ ”) directlyMIC VNCERT/CC
managed by the Authority of Information Security (“ ”) under the MIC. Their key roles are particularly as follows:AIS
MIC, particularly the AIS shall be responsible for management of the provision of cyberspace services (e.g. social network,
gaming online, e-commerce, etc.), such as requesting cyberspace service providers to delete illegal data uploaded on their
system / network.
MPS, particularly Department for Cybersecurity and High-tech Crime Prevention and Fighting, is responsible for
supervision of national cybersecurity, e.g. to request cyberspace service providers to (i) store data in Vietnam and (ii)
provide users’ information for serving investigation into cybersecurity crime.
VNCERT/CC acts as the National Coordination Center for response to cybersecurity incidents and information security
testing.
In addition to the above, subject to each specific industry (e.g. banking and finance; education; healthcare; natural resources and
environment; culture, sports and tourism; etc.), the State management authority in charge of such industry and its IT center shall
be involved in relevant information system protection.
REGISTRATION
There is no requirement under Vietnamese laws whereby such data controller of private sector is required to have it or its
activities registered with the local authorities (e.g. MPS, MIC or VNCERT/CC), except:
Foreign enterprises which provide services on telecom networks and on the Internet and other value-added services in
cyberspace in Vietnam may need to have branches or representative offices in (“cyberspace service providers”)
Vietnam (subject to specific guidance of the Government under the Draft Cybersecurity Decree);
Where organizations or individuals involved in cross-border public information provision activities rent digital information
storage facilities within the territory of Vietnam so as to provide their services or are reported to provide public
information to be used or accessed by at least 1 (one) million Internet users in Vietnam a month, they shall have the
obligation to send a written notice to the MIC of their contact information, including:
In the case of an organization, registered name, transactional name, and name of the licensing country are
required; in the case of an individual, name of such individual is required;
Main office address of an organization, permanent residence address and nationality of an individual owning an
electronic information page and location of the main server system;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Vietnam 1131 | | | www.dlapiperdataprotection.com
Principal contact agent of an overseas organization or individual and principal contact agent operated within the
territory of Vietnam, including the following information such as name of an organization, individual, contact email
address and telephone number;
in a direct manner, by post or to the email address .report38@mic.gov.vn
DATA PROTECTION OFFICERS
Under the laws of Vietnam there is no regulation mandating a typical company to appoint a “DPO”. However, certain types of
organizations (e.g. big information system owners and others such as telecoms enterprises, banks, State bodies, information
system owners using State budgets, etc.) are required to appoint specialized information security focal points and contact persons
to supervise and warn on cyber-information security, etc. These officers are expected to be in charge of incidents rather than data
protection issues. Other strict requirements (under various legal documents) are also applicable to such kinds of organizations
which do not cover “companies of the private sector”.
COLLECTION & PROCESSING
According to Vietnamese laws, the solid legal basis for the processing of personal information (that means the performance of one
or some acts of collecting, editing, utilizing, storing, providing, sharing or spreading personal information in cyberspace for
commercial purpose) is a given by the data subject. Specifically, it requires that organizations that processprior explicit consent
personal information shall collect personal information only (i) having data subjects of the scope, purpose, storageafter notified
period, form and location of collection, storage, processing, use, disclosure and transfer of such information (the relevant
terminologies cover “collect, store, process, use, disclose and transfer” rather than just “collection and processing” of data); and
(ii) their consents before. The traders or organizations collecting and using the consumers’ personal information onobtaining
E-commerce website must set up the mechanism for the consumers / subjects to clearly express their consent through online
functions on the website, e-mail, messages or other methods as agreed by the two parties.
However, based on the for processing of personal information, the laws provide an alternative legal basisspecific purpose
besides consent. Particularly, organizations may collect, process, use, store, disclose and transfer personal information of other
people without the consent when that information is used for the following purposes:
Signing, modifying or performing contracts on the use of information, products or services in the network environment
(generally defined as “the environment in which information is provided, transmitted, collected, processed and exchanged
via information infrastructure”);
Calculating charges for use of information, products or services ; and in the network environment
Performing other obligations provided for by law (e.g. at request of competent authority as prescribed in the law of
Vietnam).
In addition, the traders and organizations collecting and using consumers’ personal information on E-commerce websites shall not
need the consumers / subjects’ prior consent in the following cases:
Collecting personal information that has been publicized on E-commerce websites;
Collecting personal information to sign or perform contract of sale and purchase of goods and services;
Collecting personal information to calculate the price and charge of use of information, products and services on the
network environment;
Collection of personal information for performing other obligations in accordance with the law.
Especially, the data controller is required to:
Provide the data subject with their personal information collected and stored by the data controller upon receipt of a
request from the data subject;
Immediately comply with the request and notify such data subject or grant him / her the right to access information or to
do so upon receipt of a request from the data subject for re-examination, update, correction, modification or cancellation,
or for the stoppage of the provision of personal information to a third party, and not supply or use relevant personal
information until such information is corrected;
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Vietnam 1132 | | | www.dlapiperdataprotection.com
Take necessary measures to protect personal information, and notify the data subject if the data controller fails to comply
with its / his / her request for technical or other reasons; and
Delete the stored personal information when they have accomplished their use purposes or the storage time has expired
and notify the data subject thereof, unless otherwise prescribed by law.
TRANSFER
In general, if a data controller wishes to share, disclose or otherwise transfer an individual’s personal information to a third party
(including group companies), the data controller they must inform the data subjects and obtain prior explicit consent from such
data subjects. In particular, the traders or organizations collecting and using the consumer’s personal information on an
E-commerce website must have specific mechanisms for the information subjects may choose the permission or refusal of using
their personal information in the cases of using personal information to send advertisements and introduce products and other
commercial information.
In cases of cross-border transfers, the data exporter / importer does not need to obtain authorization from or make a filing with
the Vietnamese regulators, or notify the supervisory authority before carrying out any automatic processing operation or set of
such operations, including a transfer of personal information from Vietnam to a foreign country or an international organization.
There are exceptions for the transfer of information that is classified as being a State secret.
In addition to the above requirements, it is worth noting that data localization is an increasing trend in Vietnam, which is provided
in certain legal documents, e.g.:
According to Circular 24, electronic general information pages and social networks as entities licensed in Vietnam must
use at least one domain name “.vn” and store information in servers identified by IP addresses in Vietnam.
The Cybersecurity Law requires that domestic or foreign cyberspace service providers carrying out activities of collecting,
exploiting / using, analysing and processing data being personal information, data about service users’ relationships and data
generated by service users in Vietnam must store such data in Vietnam for a specified period to be stipulated by the
Government. In particular, according to Article 26 of the Draft Cybersecurity Decree, domestic and foreign enterprises
providing telecoms and online services to customers in Vietnam may be required to locally store certain customer-related
data in Vietnam for a certain period prescribed by law if the authority alerts them that their services/online platforms have
been used to commit violations of Vietnam’s laws but such online service providers fail to remedy the situation upon the
request of the authority. According to the latest version of the Draft Cybersecurity Decree, the organizations which could
be subject to the foregoing data localization requirements only include those engaging in the following services: (i)
telecommunications; (ii) data storage and sharing in cyberspace; (iii) supply of national or international domains to service
users in Vietnam; (iv) E-commerce; (v) online payment; (vi) intermediary payment; (vii) transport connection via
cyberspace; (viii) social networking and social media; (ix) online electronic games; and (x) providing, managing or operating
other information in cyberspace in the form of messages, phone calls, video calls, email or online chats. As of January
2022, the Draft Cybersecurity Decree has not yet been finalized. It is anticipated that the Draft Cybersecurity Decree
might be finalized and take effect within 2022, at the same time as the Draft PDPD.
The Draft PDPD also suggests imposing restrictions on cross-border data transfer (including registration of transferring
personal data from Vietnam to foreign countries). However, details of most provisions under the Outline (including
cross-border data registration) have not yet been fully developed. There have been no further developments on this
version of the Outline and/or the Draft PDPD since December 2019. The MPS and the Government have not set out any
specific timeline to promulgate the Draft PDPD.
The Draft PDPD also suggests imposing restrictions on cross-border data transfer (including registration of transferring
personal data from Vietnam to foreign countries). In particular, according to the Draft PDPD, subject to a specific
exemption and prior approval from the Personal Data Protection Commission (“ ”), before transferring personalPDPC
data of Vietnamese citizens out of Vietnam, the following four conditions must be fulfilled: (i) consent must be obtained
from the data subjects; (ii) the original data must be stored in Vietnam; (iii) the data transferor must have proof that the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Vietnam 1133 | | | www.dlapiperdataprotection.com
recipient country has personal data protection at a level equal to or higher than the level specified in the Draft PDPD; and
(iv) a written approval for transfer must be obtained from the PDPC via registration procedures. Moreover, the Draft
PDPD also requires a personal data controller/processor that transfers data abroad to build a system to store data
transfer history for three years.
SECURITY
Organizations must take necessary managerial or technical measures to ensure that the personal information shall not be lost,
stolen, disclosed, modified or destroyed. Remedial measures must be taken immediately if personal information is being or is likely
to be disclosed or destroyed.
Indeed, generally, the data controller shall classify information based on its secrecy in order to take appropriate protection
measures; and agencies and organizations that use classified and unclassified information in activities within their fields have to
develop regulations and procedures for processing information, and determine contents and methods of recording authorized
accesses to classified information.
In which:
Personal information protection policies to be developed and published by traders and organizations collecting and using
the consumers’ personal information on E-commerce websites must provide the purpose of collection; scope of use;
storage period; organizations and persons authorized to access to such personal information; address of data controller,
including way of contact for the consumers to ask about the collection and processing information related to them;
methods and tools for data subjects to access and modify their personal information on the E-commerce system of the
data controller.
The above contents must be clearly displayed for the consumers before or at the time of information collecting. The
language is Vietnamese. The contents are clear and understandable. The font size of the text is at least 12. The paper
background and ink colour used in the terms must contrast.
If the information collection is done through E-commerce website of the data controller, the personal information
protection policies must be made public in a conspicuous place on the website.
The traders, organizations or individuals that own E-commerce websites with online payment functions must publish on
their website policies on security of customer’s payment information.
BREACH NOTIFICATION
The laws of Vietnam introduced a general requirement for the reporting and notification of actual or suspected personal
information security incidents. A data breach reporting / notification requirement in Vietnam will be triggered if the data incident
falls within any of the following criteria:
Criterion 1. The affected data system is located in Vietnam.
Criterion 2. The services provided to customers in Vietnam fall under the categories of Regulated Services, including (1)
telecommunication services; (2) data storage and sharing in cyberspace; (3) services providing national or international domain
names to service users in Vietnam; (4) e-commerce; (5) online payment; (6) payment intermediary; (7) connecting transportation
in cyberspace; (8) social networks and social media; (9) online games; and (10) other services that provide, manage and operate
information in cyberspace in the form of messages, voice calls, video calls, email, or online chatting.
Criterion 3. The incident causes “significant loss” to the legitimate rights and interests of the affected Vietnamese persons.
Where there is a data security incident, organizations must promptly take relevant measures to mitigate and notify relevant data
subjects and / or relevant competent State authorities, as the case may be, in a timely manner, e.g. 5 days after detection of the
security incident, and must provide an update on the incident status when it is completely resolved, Affected organizations and
individuals must be notified of the data incident if the incidents fall under Criterion 2 or Criterion 3.
In the case of an incident under Criteria 1 that is beyond the control of the organization, the operator of the information system
must immediately prepare an initial report on the incident to report such incident to the relevant agencies and a final report on
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Vietnam 1134 | | | www.dlapiperdataprotection.com
response to the incident within five days after finishing responding to the incident. Moreover, if the information system of a trader,
organization or individual engaged in e-commerce is attacked causing risk of loss of consumer’s information, the data controller
must notify the authorities within 24 hours after the detection of incident.
Normally, the data controller would be required to give relevant notifications to the following State authorities:
Local police agency (i.e. Police Department of Cybersecurity and High-Tech Crime Prevention and Fighting under the MPS
with regard to offshore service providers, provincial police department where the head office of data controller is
located); and
VNCERT/CC directly managed by the AIS under the MIC.
ENFORCEMENT
Subject to specific data protection laws and the regulations breached, the sanctions in relation to data protection breaches are
scattered across various different laws and regulations. In general, amongst others, the major type of sanction would be
administrative penalty. For example, failure to obtain prior consent of the data subjects on collection, processing and use of their
information shall be subject to a monetary fine varying from VND 10 million to VND 20 million. In serious cases, according to the
Criminal Code, any person who commits illegal use of information on the computer or telecommunications network may be liable
to a monetary fine varying from VND 30 million to VND 1 billion or face a penalty of up to 3 years’ community sentence or 6
months –- 7 years’ imprisonment; and the offender might also be liable to a monetary fine varying from VND 20 million to VND
200 million or prohibited from holding certain positions or doing certain jobs for 1 – 5 years.
Although, in practice, the Ministries have not been actively enforcing laws and regulations on data protection, individuals are
increasingly aware of their data protection rights. It is foreseen that the enforcement environment will be evolving rapidly.
ELECTRONIC MARKETING
According to Vietnam’s new anti-spam regulation (i.e. Decree No. 91/2020/ND-CP on anti-spam text messages, emails and calls),
advertisements by text message, email and call may only be sent or made in compliance with specific requirements, notably
including:
it is prohibited to send advertising messages or make advertising calls to phone numbers on the Do-Not-Call Register;
for phone numbers not included in the Do-Not-Call Register, only one initial advertising registration message (i.e. a
message inquiring whether the user would like to receive advertising communications from the advertiser) is allowed;
if the user refuses to receive advertising messages after receiving the initial advertising registration message, no further
advertising message is allowed;
immediately after receiving a refusal request from a user, the advertiser must terminate providing advertising messages,
email or calls to such user;
no more than three advertising messages/three advertising emails/one advertising call per day may be sent or made to the
same user;
advertising messages are only allowed from 7 a.m. to 10 p.m.; advertising calls are only allowed from 8 a.m. to 5 p.m.; and
advertising contents must comply with advertising laws.
Once again, the traders or organizations collecting and using the consumers’ personal information on E-commerce websites must
have a specific mechanism for the information subjects to choose the permission or refusal of using their personal information in
the cases of using personal information to send advertisements and introduce products and other commercial information.
Additionally, the organization shall not be allowed to hide their names or use unlawfully the name of others when sending
advertisements via e-mail or text message. Specific information must be stated in each electronic message: for example,
information about the advertiser and the advertising service provider, opt-out function (refusing acceptance of advertisements),
and a label identifying “QC” or “ADV” [QC means Adv. in Vietnamese].
With regard to the method of advertising into Vietnam (i.e. to target Vietnam-based recipients), foreign organizations which do
not operate in Vietnam (i.e. do not have commercial presence in Vietnam) but wish to advertise their products, goods, services
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Vietnam 1135 | | | www.dlapiperdataprotection.com
and operation in Vietnam, are required to hire a Vietnam-based advertising service provider (a company with business lines of
provision of advertisement) to conduct relevant advertising activities.
ONLINE PRIVACY
To some extent, by assisting in tracking the information on a specific person, the cookies and location data could be deemed
as tools preinstalled on the users’ computers for collecting, storing and using their personal information, which may disclose his /
her private life, e.g. hobbies, favourite websites and locations usually visited by him / her.
As such, it is currently understood that all rules on data protection are applicable to cookies as well as location data. For example,
cyberspace service provider must seek for users’ prior acceptance before some certain technologies (e.g. cookies, positioning
service) are activated.
KEY CONTACTS
Tilleke & Gibbins
www.tilleke.com/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Waewpen Piemwichai
Senior Associate
Tilleke & Gibbins
T +84 24 3772 6688
waewpen.p@tilleke.com
https://www.dlapiperdataprotection.com
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Zambia 1136 | | | www.dlapiperdataprotection.com
ZAMBIA
Last modified 23 December 2021
LAW
Data Protection Act No. 3 of 2021 (the ).“DPA”
DEFINITIONS
Definition of Personal Data
Data which relates to an individual who can be directly or indirectly identified from that data which includes a name, an
identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural or social identity of that natural person.
Definition of Sensitive Personal Data
Personal data which by its nature may be used to suppress the data subject’s fundamental rights and freedoms and includes:
the race, marital status, ethnic origin or sex of a data subject;
genetic data and biometric data;
child abuse data;
a data subject’s political opinions;
a data subject’s religious beliefs or other beliefs of a similar nature;
whether a data subject is a member of a trade union; or
a data subject’s physical or mental health, or physical or mental condition.
NATIONAL DATA PROTECTION AUTHORITY
The Office of the Data Protection Commissioner.
REGISTRATION
A person shall not control or process personal data without registering as a data controller or a data processor under the DPA.
DATA PROTECTION OFFICERS
Data controllers and data processors are required to appoint a data protection officer in line with the guidelines issued by the
Data Protection Commissioner.
COLLECTION & PROCESSING
In order to collect or process personal data consent of the data subject must be obtained. A data subject may consent to such
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Zambia 1137 | | | www.dlapiperdataprotection.com
processing in writing. Prior to giving such consent, the data subject must be informed of the data subject’s right to withdraw the
consent. Furthermore except as expressly provided in the DPA, a data controller is required to collect personal data directly from
the data subject. The DPA provides additional rules in respect of collection and processing of personal data as set out below.
A data controller or data processor shall ensure that personal data is:
processed lawfully, fairly and transparently;
collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those
purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
accurate and where necessary, kept up to date, with every reasonable step taken to ensure that any inaccurate personal
data is erased or rectified without delay;
stored in a form which permits identification of data subjects for no longer than is necessary for the purposes for which
the personal data is processed;
processed in accordance with the rights of a data subject; and
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or
unlawful processing and against any loss, destruction or damage, using appropriate technical or organisational measures.
Subject to the other provisions of the DPA, a data controller may process personal data where:
the data subject has given consent to the processing of that data subject’s personal data;
the processing is necessary
for the performance of a contract to which the data subject is party or in order to take steps at the request of
the data subject prior to entering into a contract;
for compliance with a legal obligation to which the data controller is subject;
in order to protect the vital interests of the data subject or of another natural person;
for the performance of a task carried out in the public interest or in the exercise of official authority vested in the
data controller;
for the purposes of the legitimate interests pursued by the data controller or by a third party, except where such
interests are overridden by the interest or fundamental rights and freedoms of the data subject which require
protection of personal data, in particular where the data subject is a child; or
the processing relates to personal data which is manifestly made public by the data subject.
A person shall not process sensitive personal data, unless:
processing is necessary for the establishment, exercise or defence of a legal claim or whenever a court is exercising a
judicial function;
processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working
capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of
health or social care systems and services; or
processing is necessary for reasons of public interest.
Where a data subject is a child or a vulnerable person, that data subject’s right may be exercised by that data subject’s parents,
legal guardian or a person exercising parental responsibility as the case may be. A data controller shall not process a child’s or
vulnerable person’s personal data unless consent is given by the child’s or vulnerable person’s parent, legal guardian or a person
exercising parental responsibility. A data controller shall, where the personal data of a child or a vulnerable person is involved,
make every reasonable effort to verify that consent has been given or authorised, taking into account available technology. A data
controller shall incorporate appropriate mechanisms for age verification and parental consent in the processing of personal data of
a child.
TRANSFER
Transfer of personal data and sensitive personal data is subject to certain restrictions under the DPA. The DPA provides that
personal data must be processed and stored on a server or data centre located in the Republic. The Minister may however
prescribe categories of personal data that may be stored outside the Republic. The powers of the Minister notwithstanding,
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Zambia 1138 | | | www.dlapiperdataprotection.com
sensitive personal data must be processed and stored in a server or data centre located in the Republic.
Furthermore, the DPA provides that Personal data other than personal data categorised by the Minister may be transferred
outside the Republic where:
the data subject has consented and
the transfer is made subject to standard contracts or intragroup schemes that have been approved by the Data
Protection Commissioner; or
the Minister, has prescribed that transfers outside the Republic is permissible; or
the Data Protection Commissioner approves a particular transfer or set of transfers as permissible due to a situation of
necessity.
Additional exceptions for the transfer of personal data outside the Republic are provided for, including:
in case of an emergency, to a particular person or entity engaged in the provision of health services or emergency
services;
where the data subject has explicitly consented to that transfer of sensitive personal data; and
to a particular international organisation or country which complies with the DPA, where the Data Protection
Commissioner is satisfied that the transfer or class of transfers is necessary for any class of data controllers or data
subjects and does not hamper the effective enforcement of the DPA.
SECURITY
A data controller or data processor is required to provide guarantees regarding the technical and organisational security measures
employed to protect the personal data associated with the processing undertaken and ensure strict adherence to such measures.
A data controller or the data processor is further required to, having regard to the nature, scope and purpose of processing
personal data undertaken, the risks associated with such processing, and the likelihood and severity of the harm that may result
from such processing, implement appropriate security safeguards including:
maintaining integrity of personal data using methods including pseudonymisation and encryption;
ensuring ongoing confidentiality, integrity and implementation of measures necessary to protect the integrity of personal
data;
measures necessary to prevent misuse, unauthorised access to, modification, disclosure or destruction of personal data;
and
implementation of appropriate data protection policies.
A data controller and data processor is also required to undertake a periodic review of security safeguard in accordance with
guidelines issued by the Data Protection Commissioner.
BREACH NOTIFICATION
A data controller shall notify the Data Protection Commissioner within twenty-four hours of any security breach affecting
personal data processed.
A data processor shall notify the data controller, as soon as practicable of any security breach affecting personal data processed on
behalf of the data controller.
A data controller or data processor shall notify the data subject, as soon as practicable of any security breach affecting personal
data processed.
Mandatory breach notification
A data controller shall notify the Data Protection Commissioner within twenty-four hours of any security breach affecting
personal data processed.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Zambia 1139 | | | www.dlapiperdataprotection.com
A data processor shall notify the data controller, as soon as practicable of any security breach affecting personal data processed on
behalf of the data controller.
A data controller or data processor shall notify the data subject, as soon as practicable of any security breach affecting personal
data processed.
ENFORCEMENT
The DPA sets out various penalties for offences prescribed thereunder. For example in respect of offences relating to the breach
of the principles and rules relating to the processing of personal data, the penalty upon conviction is a fine not exceeding one
hundred million penalty units[ ] or two percent of annual turnover of the preceding financial year whichever is higher where the1
offence is committed by a corporate body.
Given that the DPA is a new piece of legislation, at the date of this update, we are not aware of any enforcement action taken by
the Regulator.
[1] ZMW30,000,000 (at today’s exchange rate of US$1-ZMW16.37 approx. US$1,832,620.65)
ELECTRONIC MARKETING
Electronic marketing is governed by the Electronic Communications and Transactions Act No. 4 of 2021 (the “ECTA’). The ECTA
provides that a person marketing by means of electronic communication shall provide the addressee with:
the person’s identity and contact details including its registered office and place of business, email, contact and customer
service number;
a valid and operational opt out facility from receiving similar communications in future;
the identifying particulars of the source from which the originator obtained the addressee’s personal information; and
applicable privacy and other user policies.
The ECTA also places restrictions in respect of unsolicited commercial communications to a consumer. The ECTA provides that a
person may send one unsolicited commercial communication to a consumer, such commercial message can only be sent where
the opt in requirement is met.
The ECTA further provides that an originator who sends unsolicited commercial communications to an addressee who has
opted-out from receiving any further electronic communications from the originator through the originator’s opt out facility,
commits an offence.
ONLINE PRIVACY
The ECTA provides that a service provider is not liable for any damage incurred by a person if the service provider refers or links
users to a web page containing an infringing data message or infringing activity, by using information location tools, including a
directory, index, reference, pointer, or hyperlink, and where the service provider:
does not have actual knowledge that the data message or an activity relating to the data message is infringing the rights of
that person;
is not aware of facts or circumstances from which the infringing activity or the infringing nature of the data message is
apparent;
does not receive a financial benefit directly attributable to the infringing activity; and
removes, or disables access to, the reference or link to the data message or activity within a reasonable time after being
informed that the data message or the activity relating to that data message, infringes the rights of a person.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Zambia 1140 | | | www.dlapiperdataprotection.com
KEY CONTACTS
Chibesakunda & Co.
www.dlapiperafrica.com/zambia/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Louise De-Assis Chilepa
Head of Banking & Finance
T +260 211 366400
louise.chilepa@cco.co.zm
Mwamba Chibesakunda
Associate
T +260 211 366400
mwamba.chibesakunda@cco.co.zm
https://www.dlapiperdataprotection.com
https://www.dlapiperafrica.com/zambia/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Zimbabwe 1141 | | | www.dlapiperdataprotection.com
ZIMBABWE
Last modified 22 December 2021
LAW
Access to Information and Protection of Privacy Act (Chapter 10:27);
Banking Act (Chapter 24:20);
Courts and Adjudicating Authorities (Publicity Restrictions) Act (Chapter 07:04);
Consumer Protection Act (Chapter 14:44);
Census and Statistics Act (Chapter 10:29);
Data Protection Act (Chapter 11:24);
Interception of Communications Act (Chapter 11:20); and,
National Registration Act (Chapter 10:17);
Communication Technology (“ICT Policy”).
DEFINITIONS
Definition of personal data
The Access to Information and Protection of Privacy Act defines personal information as recorded information about an
identifiable person which includes:
The person’s name, address, or telephone number;
The person’s race, national or ethnic origin, religious or political beliefs or associations;
The person’s age, sex, sexual orientation, marital status, or family status;
An identifying number, symbol or other particulars assigned to that person;
Fingerprints, blood type or inheritable characteristics;
Information about a person’s healthcare history, including a physical or mental disability;
Information about educational, financial, criminal or employment history;
A third party’s opinions about the individual;
The individual’s personal views or opinions (except if they are about someone else); and,
Personal correspondence with home or family.
Definition of sensitive personal data
There is no law that defines Sensitive Data. However, in terms of the Data Protection Act refers to:Personal sensitive data
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Zimbabwe 1142 | | | www.dlapiperdataprotection.com
information or any opinion about an individual which reveals or contains the following:
racial or ethnic origin;
political opinions;
membership of a political association;
religious beliefs or affiliations;
philosophical beliefs;
membership of a professional or trade association;
membership of a trade union;
sex life;
criminal educational, financial or employment history;
gender, age, marital status, or family status;
health information about an individual;
genetic information about an individual; or
any information which may be considered as presenting a major risk to the rights of the data subject;
NATIONAL DATA PROTECTION AUTHORITY
In terms of the Data Protection Act, the Postal and Telecommunication Regulatory Authority established in terms of section 5 of
; is the recognised National Data Protection Authority. The Authority hasthe Postal and Telecommunications Act [Chapter 12:05]
the responsibility to promote and enforce the fair processing of personal data and advise the Minister of Information
Communication Technology on matters relating to privacy rights. The Authority is mandated to conduct inquiries and
investigations either on its own accord or on the request of any interested person in relation to data protection rights.
Under the recently enacted Draft Protection Act, a data protection officer must be appointed to ensure the compliance with all
obligations provided for in the Data Protection Act.
The Zimbabwe Media Commission’s mandate does the following:
Ensures that the people of Zimbabwe have equitable and wide access to information;
Comments on the implications of proposed legislation or programs of public bodies on access to information and
protection of privacy; and,
Comments on the implications of automated systems for collection, storage, analysis, or transfer of information or for the
access to information or protection of privacy.
The Revised ICT Policy proposes the establishment of a quasi-government entity to monitor Internet traffic. It states that all
Internet gateways and infrastructure will be controlled by a single company, while a National Data Centre to support both public
and high security services and information will be established.
REGISTRATION
There is no law that requires the registration of databases.
DATA PROTECTION OFFICERS
In terms of the Data Protection Act, a Data Protection Officer refers to any individual appointed by the data controller and is
charged with ensuring, in an independent manner, compliance with the obligations provided for in this Act.
COLLECTION & PROCESSING
There are no specific provisions for the collectors of personal data to obtain the prior approval of data subjects for the processing
of their personal data. However, when collecting data the controller or the controller’s representative shall provide the data
subject with at least the following information:
the name and address of the controller and of his or her representative, if any;
https://www.dlapiperdataprotection.com
https://optimalegal.online/publication/a4637979-4503-4dc4-8613-63d908f1077b/eb00b262-bbd7-4654-b26c-6db7924d8dc3
https://optimalegal.online/publication/a4637979-4503-4dc4-8613-63d908f1077b/eb00b262-bbd7-4654-b26c-6db7924d8dc3
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Zimbabwe 1143 | | | www.dlapiperdataprotection.com
the purposes of the processing;
the existence of the right to object, by request and free of charge, to the intended processing of data relating to him or
her, if it is obtained for the purposes of direct marketing;
whether compliance with the request for information is compulsory or not, as well as what the consequences of the
failure to comply are;
taking into account the specific circumstances in which the data is collected, any supporting information, as necessary to
ensure fair processing for the data subject, such as:
the recipients or categories of recipients of the data;
whether it is compulsory to reply, and what the possible consequences of the failure to reply are;
the existence of the right to access and rectify the data relating to him or her except where such additional
information, taking into account the specific circumstances in which the data is collected is not necessary to
guarantee accurate processing.
other information dependent on the specific nature of the processing, as specified by the Authority.
For purposes of processing the information Section 13 of the Data Protection Act is quite instructive. In terms of that Section
every data controller or data processor shall ensure that personal information is:
processed in accordance with the right to privacy of the data subject;
processed lawfully, fairly and in a transparent manner in relation to any data subject;
collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those
purposes;
adequate, relevant, limited to what is necessary in relation to the purposes for which it is processed;
The Census and Statistics Act contains provisions which restrict the use and disclosure of information obtained during the
conducting of a census exercise. Under this Act, authorities are able to collect, compile, analyse, and abstract statistical
information relating to any of the following:
Commercial
Industrial
Agricultural
Mining
Social
Economic
General activities and conditions of the inhabitants of Zimbabwe and to publish such statistical information
TRANSFER
The transfer of data to any other jurisdiction is governed in terms of Part VII of the Data Protection Act under section 28 and 29.
In terms of Section 28 of the Data Protection Act:
a data controller may not transfer personal information about a data subject to a third party who is in a foreign country
unless an adequate level of protection is ensured in the country of the recipient or within the recipient international
organisation and the
data is transferred solely to allow tasks covered by the competence of the controller to be carried out.
The adequacy of the level of protection afforded by the third country or international organisation in question shall be
assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; with
particular consideration being given to the nature of the data, the purpose and duration of the proposed processing
operation or operations, the recipient third country or recipient international organisation, the laws relating to data
protection in force in the third country or international organisation in question and the professional rules and security
measures which are complied with in that third country or international organisation.
The Authority shall lay down the categories of processing operations for which and the circumstances in which the
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Zimbabwe 1144 | | | www.dlapiperdataprotection.com
transfer of data to countries outside the Republic of Zimbabwe is not authorised.
The Minister responsible for the Cyber security and Monitoring Centre in consultation with the Minister, may give
directions on how to implement this section with respect to transfer of personal information outside of Zimbabwe.
SECURITY
Section 18 of the Data Protection Act provides guidelines for the protection of data. It states that to safeguard the security,
integrity and confidentiality of the data, the controller or his or her representative, if any, or the processor, shall take the
appropriate technical and organisational measures that are necessary to protect data from negligent or unauthorised destruction,
negligent loss, unauthorised alteration, or access and any other unauthorised processing of the data.
Further the Section also provides that the Data Protection Authority may issue appropriate standards relating to information
security for all or certain categories of processing. Since the enactment of this Act the Data Protection Authority is still to issue
any appropriate standards.
The Revised ICT Policy states that there will be development, implementation and promotion of appropriate security and legal
systems for e-commerce, including issues related to cybersecurity, data protection and e-transactions. The Policy states that the
following laws will be enacted to cater for intellectual property rights, data protection and security, freedom of access to
information, computer related and cybercrime laws:
data protection and privacy
intellectual property protection and copyright
consumer protection and
child online protection.
BREACH NOTIFICATION
Breach notification
Section 19 of the Data Protection Act places a duty on the data controller to notify the Authority “within twenty-four (24) hours
of any security breach affecting data he or she processes.
Mandatory breach notification
Section 19 of the Data Protection Act uses the word “ ” which makes it mandatory to notify the Authority within twenty-fourshall
(24) hours.
ENFORCEMENT
The Constitution mandates the Human Rights Commission (HRC) to enforce a citizen’s human rights where they have been
violated. The right to privacy, including the right not to have the privacy of one’s communication infringed, is a basic human right
and, thus, falls within the purview of the HRC. However, the Cyber Security and Monitoring of Interceptions of Communications
Centre (CSMICC), established by the Interception of Communications Act, is mandated to, among other things, monitor
communications made over telecommunications, radio communications and postal systems and to give technical advice to service
providers. The mandate of the CSMICC does not preclude it from monitoring computer-based data for the purposes of enforcing
an individual’s right to privacy where it is found that such right has been infringed.
Further, the CSMICC also has the duty to oversee the enforcement of the Act to ensure that it is enforced reasonably and with
due regard to fundamental human rights and freedoms.
ELECTRONIC MARKETING
Zimbabwe recently enacted the Consumer Protection Act (Chapter 14:44) which has introduced several measures aimed at
protecting consumers from unfair trade practices.
https://www.dlapiperdataprotection.com
DATA PROTECTION LAWS OF THE WORLD
Data Protection Laws of the World Zimbabwe 1145 | | | www.dlapiperdataprotection.com
The Consumer Protection Act does not make specific reference to electronic marketing; however, it provides certain guidelines
around electronic transactions, Information to be provided by the service provider, a cooling-off period in electronic transactions
and unsolicited goods, services, or communications.
ONLINE PRIVACY
There is currently no specific online privacy legislation.
KEY CONTACTS
Manokore Attorneys
www.dlapiperafrica.com/en/zimbabwe/
DATA PRIVACY TOOL
You may also be interested in our to assess your organization’s level of data protection maturity.Data Privacy Scorebox
Farai Nyabereka
Partner
Manokore Attorneys
T +263 4 746 787
fnyabereka@manokore.com
Steve Chikengezha
Associate
Manokore Attorneys
T +263 773 376 633
schikengezha@manokore.com
https://www.dlapiperdataprotection.com
https://www.dlapiperafrica.com/en/zimbabwe/
https://www.dlapiperdataprotection.com/scorebox/
DATA PROTECTION LAWS OF THE WORLD
Disclaimer
DLA Piper is a global law firm operating through various separate and distinct legal entities. Further details of these entities can be
found at .www.dlapiper.com
This publication is intended as a general overview and discussion of the subjects dealt with, and does not create a lawyer-client
relationship. It is not intended to be, and should not be used as, a substitute for taking legal advice in any specific situation. DLA
Piper will accept no responsibility for any actions taken or not taken on the basis of this publication.
This may qualify as ‘Lawyer Advertising’ requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.
Copyright © 2022 DLA Piper. All rights reserved.
https://www.dlapiper.com
Expert paper writers are just a few clicks away
Place an order in 3 easy steps. Takes less than 5 mins.