Accessibility Tools

Skip to main content

Data Privacy Law Directory
for Global Researchers.

Countries around the globe are implementing rapid and continuous legal reform in response to digitisation.

This resource is designed to assist global researchers and legal teams in sourcing information on data privacy laws, as a first step towards ensuring compliance of data gathering activities with market regulations.

This directory is intended as signposting only. Where possible, we have provided official government website links and publications.

Legal Disclaimer

Empower is not responsible for the content of the links provided in this directory, the accuracy of the summaries provided, or the results of the interpretation of any content in this directory.

A

The Abu Dhabi Global Market

The Abu Dhabi Global Market (ADGM) is a financial free zone within the United Arab Emirates. It is a Federation composed of seven Emirates. The Financial Free Zone means that federal civil and commercial law does not apply and it is able to reate its own legal framework. The Data Protection Regulation of 2021 governs the process of personal data by people operating in the Free Zone.

https://www.adgm.com/operating-in-adgm/office-of-data-protection/guidance

Last reviewed: 31 January 2022


Afghanistan

We have not yet completed this entry.
Ask for this information to be completed.


 

Albania

Albanian law's personal data protection constitutes a fundamental right, as established in Article 35 of the Albanian Constitution. Data protection has undergone continuous amendments to align more closely with the European Union's General Data Protection Regulation (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en).

Albanian Law No. 9887 dated 10.03.2008 defines the scope of personal data and its processing. It includes data controllers both established in Albania and data controllers who are not established but exercise their activity using any tools or means within Albania.

https://www.idp.al/wp-content/uploads/2016/11/lawdataprotection_new-2 - Link doesn’t work

2016 amendments (Albanian only): https://www.gjk.gov.al/web/kushtetutaeintegruarmendryshimete20161648.pdf

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Algeria

Law No. 18-07 establishes general personal data protection requirements such as express consent, data processing notifications, data subject rights, restrictions on direct marketing and data transfers. Notably, Law No. 18-07 provides significant potential penalties, including possible imprisonment for between two to five years.

In addition, an e-commerce law was enacted May 10, 2018, Law No. 18-05 of 24 Chaâbane 1439, relating to electronic commerce. Law 18-05 sets out further protections for e-consumers, regulates cross-border e-commerce, and details advertising-related obligations electronically.

In broad terms, although these new laws have been introduced, there is little information released publicly in Algeria on the enforcement of data protection or official guidance on compliance.

Copy of Law 18-07 (in French only): https://www.joradp.dz/FTP/JO-FRANCAIS/2018/F2018034.pdf
Official site for Law 18-05: https://www.commerce.gov.dz/reglementation/loi-n-deg-18-05
https://cms.law/en/int/expert-guides/cms-expert-guide-to-data-protection-and-cyber-security-laws/algeria

Last reviewed: 31 January 2022


Andorra

We have not yet completed this entry.
Ask for this information to be completed.


Angola

We have not yet completed this entry.
Ask for this information to be completed.


Antigua and Barbuda

We have not yet completed this entry.
Ask for this information to be completed.


Argentina

The Data Protection Act of Argentina sets the main principles and rules for protecting personal data, while the Decree 1160/2010 provides additional regulations for implementation. The main principles concern transparency, accuracy, access rights, confidentiality, and accountability. Please ensure you have an in-browser translation to view both links in English.

http://servicios.infoleg.gob.ar/infolegInternet/anexos/60000-64999/64790/norma.htm

Decree: http://servicios.infoleg.gob.ar/infolegInternet/anexos/170000-174999/170508/norma.htm

Last reviewed: 31 January 2022


Armenia

We have not yet completed this entry.
Ask for this information to be completed.


Australia

The Privacy Act of 1988 is the main piece of legislation in Australia concerning protecting the handling of personal information about individuals. This includes collecting, storing, and disclosing personal information in the federal and private sectors.

https://www.ag.gov.au/rights-and-protections/privacy

Last reviewed: 31 January 2022


Austria

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Azerbaijan

We have not yet completed this entry.
Ask for this information to be completed.


B

Bahamas

We have not yet completed this entry.
Ask for this information to be completed.


Bahrain

Data protection in Bahrain is mainly governed by the Personal Data Protection Law No. (30) of 2018. Its principles mainly concern data quality control and anonymisation of data.

http://www.pdp.gov.bh/en/regulations.html

Last reviewed: 31 January 2022


Bangladesh

We have not yet completed this entry.
Ask for this information to be completed.


Barbados

We have not yet completed this entry.
Ask for this information to be completed.


Belarus

We have not yet completed this entry.
Ask for this information to be completed.


Belguim

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Belize

We have not yet completed this entry.
Ask for this information to be completed.


Benin

We have not yet completed this entry.
Ask for this information to be completed.


Bhutan

We have not yet completed this entry.
Ask for this information to be completed.


Bolivia

We have not yet completed this entry.
Ask for this information to be completed.


Botswana

We have not yet completed this entry.
Ask for this information to be completed.


Brazil

The Brazilian General Data Protection Law (LGDB), Law No. 13,709, applies to any data processing carried out by either a person or public or private entity, regardless of where that entity is located. It sets out ten principles concerning the processing of personal data, including consent of the holder, anonymisation of data, and protection of the holder. Please ensure you have an in-browser translation to view the website in English.

http://www.planalto.gov.br/ccivil03/Ato2015-2018/2018/Lei/L13709.htm

Last reviewed: 31 January 2022


Brunei

We have not yet completed this entry.
Ask for this information to be completed.


Bulgaria

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Burkina Faso

We have not yet completed this entry.
Ask for this information to be completed.


Burundi

We have not yet completed this entry.
Ask for this information to be completed.


C

Cabo Verde

We have not yet completed this entry.
Ask for this information to be completed.


Cambodia

We have not yet completed this entry.
Ask for this information to be completed.


Cameroon

We have not yet completed this entry.
Ask for this information to be completed.


Canada

Canada has two federal privacy laws: the Privacy Act, which covers how the federal government handles personal information, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which protects how businesses handle personal information.

PIPEDA sets out the rules for how private-sector organisations collect, use, and disclose personal information in terms of for-profit, commercial activities. It also applies to employees' personal data in federally regulated businesses such as banks, airlines, and telecommunications companies.

Each province and territory also has its laws regarding the handling of information, which in some cases may apply instead of PIPEDA.

https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/0205d_15/

Last reviewed: 31 January 2022


Chad

We have not yet completed this entry.
Ask for this information to be completed.


Chile

Law No.19.628 Protection of Private Life is the primary law concerning data privacy. However, a new bill has been introduced to consider regulating the protection and treatment of personal data. The Law stipulates that personal data may only be processed if law permits or based on the subject's prior informed, written consent. Currently, the bill would look more into processing personal data, regulation on international data transfers, and introducing a data protection authority. Please ensure you have an in-browser translation to view both links in English.

Law 19.628: https://www.bcn.cl/leychile/navegar?idNorma=141599

Proposed Bill: https://www.camara.cl/legislacion/ProyectosDeLey/tramitacion.aspx?prmID=11661&prmBoletin=11144-07

Last reviewed: 31 January 2022


China

Please ensure you have an in-browser translation to view the link in English.

The Personal Information Protection Law (PIPL) is China's first comprehensive data protection law based on China's Constitution.

The PIPL has what is known as extraterritorial effect and will apply to the following processing activities:

  • processing, within China, of personal information of natural persons;
  • processing, outside of China, of personal information of natural persons who are in China, if such processing is: to provide products or services to natural persons in China; to analyse/evaluate the behaviour of natural persons in China, and other circumstances prescribed by laws and administrative regulations. 

http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml

Last reviewed: 31 January 2022


Colombia

Please ensure you have an in-browser translation to view these links in English.

The protection of personal data is a constitutional right in Colombia. Colombia's Congress enacted a Statutory law (Law No. 1266 of 2008) that establishes provisions on data and management on information contained in personal databases. Another law was passed (Law 1581 of 2012) to develop the constitutional right that all people have to know, update and rectify the information that has been collected about them.

Constitution of Colombia: https://www.constituteproject.org/constitution/Colombia_2015.pdf?lang=en

Law 1266 of 2008: https://www.alcaldiabogota.gov.co/sisjur/normas/Norma1.jsp?i=34488

Law 1581 of 2012: https://www.alcaldiabogota.gov.co/sisjur/normas/Norma1.jsp?i=49981

Last reviewed: 31 January 2022


Comoros

We have not yet completed this entry.
Ask for this information to be completed.


Costa Rica

We have not yet completed this entry.
Ask for this information to be completed.


Côte d'Ivoire

We have not yet completed this entry.
Ask for this information to be completed.


Croatia

We have not yet completed this entry.
Ask for this information to be completed.


Cuba

We have not yet completed this entry.
Ask for this information to be completed.


Cyprus

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Czech Republic

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


D

Denmark

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Djibouti

We have not yet completed this entry.
Ask for this information to be completed.


Dominica

We have not yet completed this entry.
Ask for this information to be completed.


Dominican Republic

We have not yet completed this entry.
Ask for this information to be completed.


E

Ecuador

We have not yet completed this entry.
Ask for this information to be completed.


EEA

European Union (EU) General Data Protection Regulation (GDPR) is incorporated into the EEA Agreement. Controllers or processors of personal data established in an EEA State are subject to the obligations laid down in EU legislation. Their compliance is monitored by each EEA state's independent data protection authority.

https://www.efta.int/EEA/Data-Protection-505036

Last reviewed: 31 January 2022


Egypt

We have not yet completed this entry.
Ask for this information to be completed.


El Salvador

We have not yet completed this entry.
Ask for this information to be completed.


Equatorial Guinea

We have not yet completed this entry.
Ask for this information to be completed.


Eritrea

We have not yet completed this entry.
Ask for this information to be completed.


Estonia

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Ethiopia

We have not yet completed this entry.
Ask for this information to be completed.


EU

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In the summer of 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


F

Fiji

We have not yet completed this entry.
Ask for this information to be completed.


Finland

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


France

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


G

Gabon

We have not yet completed this entry.
Ask for this information to be completed.


Gambia

We have not yet completed this entry.
Ask for this information to be completed.


Georgia

We have not yet completed this entry.
Ask for this information to be completed.


Germany

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022



Ghana

We have not yet completed this entry.
Ask for this information to be completed.


Greece

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Grenada

We have not yet completed this entry.
Ask for this information to be completed.


Guatemala

We have not yet completed this entry.
Ask for this information to be completed.


Guinea

We have not yet completed this entry.
Ask for this information to be completed.


Guinea-Bissau

We have not yet completed this entry.
Ask for this information to be completed.


Guyana

We have not yet completed this entry.
Ask for this information to be completed.


H

Haiti

We have not yet completed this entry.
Ask for this information to be completed.


Holy See

We have not yet completed this entry.
Ask for this information to be completed.


Honduras

We have not yet completed this entry.
Ask for this information to be completed.


Hong Kong

Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486) has been in place for several years. It was strengthened in 2021 primarily as a result of social media concerns.

It aims to protect the privacy of individuals about personal data and regulate the collection/holding/processing/use of the data based on a set of data protection principles.

https://www.elegislation.gov.hk/hk/cap486

Last reviewed: 31 January 2022


Hungary

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


I

Iceland

Iceland is an EEA member and therefore governed by the European Union's General Data Protection Regulation (GDPR) (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en).

GDPR regulations are incorporated into the EEA Agreement. Controllers or processors of personal data established in an EEA State are subject to the obligations laid down in EU legislation. Their compliance is monitored by the independent data protection authority of each EEA state.

Last reviewed: 31 January 2022


India

The Constitution of India recognises a fundamental right to privacy. Generally, other data protection requirements fall under multiple sources of Acts and boards, including Information Technology Act 2000, Information Technology Rules 2011, Consumer Protection Act 2019, and Consumer Protection Rules 2020.

Constitution: https://legislative.gov.in/constitution-of-india

IT Rules 2011: https://www.dataguidance.com/sites/default/files/in098en.pdf

IT Act 2000: https://hyderabadpolice.gov.in/acts/ITAct2000-2008(amendment).pdf

IT Rules 2011: https://www.dataguidance.com/sites/default/files/in098en.pdf

Consumer Protection Act 2019: http://164.100.47.193/BillsPDFFiles/Notification/2019-144-gaz.pdf

Consumer Protection Rules 2020: https://consumeraffairs.nic.in/sites/default/files/E%20commerce%20rules.pdf

Last reviewed: 31 January 2022


Indonesia

There is currently no general data protection law in Indonesia. As of January 2022, a draft of the Personal Data Protection Act is now going through the Indonesian Parliament.

However, there are provisions governing personal data protection specifically within the realm of electronic systems and ESPS within Law No. 11 of 2008 on Electronic Information and Transactions.

Last reviewed: 31 January 2022


Ireland

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Italy

To view these links in English, please ensure you have in-browser translation.

Italy is governed by the European Union's General Data Protection Regulation (GDPR) (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en), but also sets its own guidelines with the Italian Data Protection Authority.

GDPR has some implications of the law on privacy and data protection including:

  • informing citizens and customers of your activies and requiring consent;
  • anonymising collected data;
  • safely handling the transferral of data across borders;
  • and assigning a Data Protection Officer to an organisation.

Additional 2022 guidelines in Italy include the precision of what Consent is and how to collect it, how your agency handles cookies, and validity and proof of consent.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

https://www.gpdp.it/regolamentoue

https://www.gpdp.it/temi/cookie

Last reviewed: 31 January 2022


Israel

Data protection in Israel is governed mainly by the Protection of Privacy law 5741-1981 and its regulations. The law covers the collection and use of personal/sensitive data, rights and obligations of parties collecting and using data, and individual rights on how data is used.

https://www.gov.il/en/Departments/legalInfo/legislation

Last reviewed: 31 January 2022


J

Jamaica

We have not yet completed this entry.
Ask for this information to be completed.


Japan

Japan has a recently amended act called the Act on the Protection of Personal Information (June 2020) that is in effect from April 2022. This Act sets forth measures of protecting personal information, listing the responsibilities of data users, handling of data and how it is utilised.

https://www.ppc.go.jp/en/legal/

Last reviewed: 31 January 2022


Jordan

We have not yet completed this entry.
Ask for this information to be completed.


K

Kenya

We have not yet completed this entry.
Ask for this information to be completed.


Kiribati

We have not yet completed this entry.
Ask for this information to be completed.


Korea (South)

Please ensure you have an in-browser translation to view the link in English.

The primary law and regulations related to data protection in South Korea are within the Personal Information Protection Act 2011 (amended in 2020). Specific principles that apply to data handlers in the Act include:

  • explicitly of purposes of the process;
  • insurance of accurate and complete data;
  • handling data safely;
  • disclosure of privacy policy;
  • and anonymisation of data.

https://elaw.klri.re.kr/kor_service/lawView.do?hseq=53044&lang=ENG

Last reviewed: 31 January 2022


Kuwait

We have not yet completed this entry.
Ask for this information to be completed.


Kyrgyzstan

We have not yet completed this entry.
Ask for this information to be completed.


L

Laos

We have not yet completed this entry.
Ask for this information to be completed.


Latvia

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Lebanon

We have not yet completed this entry.
Ask for this information to be completed.


Lesotho

We have not yet completed this entry.
Ask for this information to be completed.


Liberia

We have not yet completed this entry.
Ask for this information to be completed.


Libya

We have not yet completed this entry.
Ask for this information to be completed.


Liechtenstein
Liechtenstein is an EEA member and therefore governed by the European Union's General Data Protection Regulation (GDPR) (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en).

GDPR regulations are incorporated into the EEA Agreement. Controllers or processors of personal data established in an EEA State are subject to the obligations laid down in EU legislation. Their compliance is monitored by each EEA state's independent data protection authority.

https://www.efta.int/EEA/Data-Protection-505036

Last reviewed: 31 January 2022


Lithuania

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Luxembourg
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


M

Macedonia

The Republic of North Macedonia regulates personal data protection issues with the Law on Personal Data Protection, no. 42/20, “DP Law”, effective 24th February 2020. It is available only in Macedonian as a PDF on the link above.

The DP Law is primarily harmonised with the European Union's General Data Protection Regulation (GDPR) (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en). More information is available on the link above to the unofficial website 'DLA Piper Data Protection'.

https://www.dlapiperdataprotection.com/index.html?t=law&c=MKhttps://dzlp.mk/sites/default/files/u4/zakonzazastitanalicnite_podatoci.pdf

Example of a privacy policy on official government website: https://vlada.mk/node/25224?ln=en-gb

Last reviewed: 31 January 2022


Madagascar

We have not yet completed this entry.
Ask for this information to be completed.


Malawi

We have not yet completed this entry.
Ask for this information to be completed.


Malaysia

In Malaysia, the Personal Data Protection Act 2010 (PDPA) is the primary legislation concerning data protection. This Act sets out rules on:

  • notifying the data subject;
  • data disclosure;
  • data security;
  • data retention;
  • and data integrity.

https://www.kkmm.gov.my/pdf/Personal%20Data%20Protection%20Act%202010.pdf

Last reviewed: 31 January 2022


 

Mali

We have not yet completed this entry.
Ask for this information to be completed.


Maldives

We have not yet completed this entry.
Ask for this information to be completed.


Malta

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Mauritania

We have not yet completed this entry.
Ask for this information to be completed.


Mauritius

We have not yet completed this entry.
Ask for this information to be completed.


Marshall Islands

We have not yet completed this entry.
Ask for this information to be completed.


Mexico

Please ensure you have an in-browser translation to view this link in English.

The general data protection law in Mexico is the Federal Law for the Protection of Personal Data in possession of Private Parties (LFPDPPP). The Rules of the Federal Law supplement it for the Protection of Personal Data in control of Private Parties ("Regulation") and Guidelines on Privacy Notices ("Guidelines") set out by the Institute for Access to Information and Protection of Personal Data (INAI).

The Law, "Regulations", and "Guidelines" covers all individuals and legal entities in the private sector involved in processing personal data. The processing of personal data must be carried out with the general data protection principles in mind: legality, consent, information, data quality, purpose specification, loyalty, proportionality, and accountability.

http://www.dof.gob.mx/nota_detalle.php?codigo=5469949&fecha=26/01/2017

Last reviewed: 31 January 2022


Monaco

We have not yet completed this entry.
Ask for this information to be completed.


Montenegro

We have not yet completed this entry.
Ask for this information to be completed.


Morocco

We have not yet completed this entry.
Ask for this information to be completed.


Mozambique

We have not yet completed this entry.
Ask for this information to be completed.


Mongolia

We have not yet completed this entry.
Ask for this information to be completed.


Micronesia

We have not yet completed this entry.
Ask for this information to be completed.


N

Namibia

We have not yet completed this entry.
Ask for this information to be completed.


Nauru

We have not yet completed this entry.
Ask for this information to be completed.


Nepal

We have not yet completed this entry.
Ask for this information to be completed.


New Zealand
New Zealand has the Privacy Act of 2020, which provides rules on compliance when collecting and using data. The Privacy Act 2020 has 13 information privacy principles that are expected to comply, laws you must follow if someone asks for what information you hold about them, and how to report to the Privacy Commissioner if there is a privacy breach.

Nicaragua

We have not yet completed this entry.
Ask for this information to be completed.


Niger

We have not yet completed this entry.
Ask for this information to be completed.


Nigeria

We have not yet completed this entry.
Ask for this information to be completed.


North Korea

We have not yet completed this entry.
Ask for this information to be completed.


Norway

Norway is an EEA member and therefore governed by the European Union's General Data Protection Regulation (GDPR) (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en).

GDPR regulations are incorporated into the EEA Agreement. Controllers or processors of personal data established in an EEA State are subject to the obligations laid down in EU legislation. Their compliance is monitored by each EEA state's independent data protection authority.

https://www.efta.int/EEA/Data-Protection-505036

Last reviewed: 31 January 2022


O

Oman

We have not yet completed this entry.
Ask for this information to be completed.


P

Palau

We have not yet completed this entry.
Ask for this information to be completed.


Palestine State

We have not yet completed this entry.
Ask for this information to be completed.


Panama

We have not yet completed this entry.
Ask for this information to be completed.


Papua New Guinea

We have not yet completed this entry.
Ask for this information to be completed.


Paraguay

We have not yet completed this entry.
Ask for this information to be completed.


Peru

We have not yet completed this entry.
Ask for this information to be completed.


Philippines

The Data Privacy Act of 2012 (Republic Act 10173) is the Philippines' governing law on data privacy. The main principles of this Act include:

  • collection must be declared and specified for a legitimate purpose;
  • all data should be processed fairly and lawfully;
  • insurance of data quality;
  • processing should be safeguarded, and data should not be retained for longer than necessary.

https://www.privacy.gov.ph/data-privacy-act/

Last reviewed: 31 January 2022


Poland

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Portugal

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Q

Qatar

We have not yet completed this entry.
Ask for this information to be completed.


R

Romania

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Russia

Please ensure you have an in-browser translation to view the link in English.

The Federal Law on Personal Data in Russia (Federal Law of 27 July 2006 N 152-FZ on Personal Data) is the country's foundation law on data processing.

New amendments have been made recently to the law, including introducing content-based restrictions for all organisations on collecting and disseminating data. This includes social media and blog posts.

https://pd.rkn.gov.ru/authority/p146/p164/

Last reviewed: 31 January 2022


Rwanda

We have not yet completed this entry.
Ask for this information to be completed.


S

Saint Lucia

We have not yet completed this entry.
Ask for this information to be completed.


Samoa

We have not yet completed this entry.
Ask for this information to be completed.


San Marino

We have not yet completed this entry.
Ask for this information to be completed.


Saudi Arabia

To view this link in English, please ensure you have in-browser translation.

The Personal Data Protection Law enters into force in March 2022 and is Saudi Arabia's first data protection law. The aim is to ensure privacy of personal data, regulation of data sharing, and prevent abuse of personal data.

https://laws.boe.gov.sa/BoeLaws/Laws/LawDetails/b7cfae89-828e-4994-b167-adaa00e37188/1

Last reviewed: 31 January 2022


Senegal

We have not yet completed this entry.
Ask for this information to be completed.


Serbia

We have not yet completed this entry.
Ask for this information to be completed.


Seychelles

We have not yet completed this entry.
Ask for this information to be completed.


Sierra Leone

We have not yet completed this entry.
Ask for this information to be completed.


Singapore

The Personal Data Protection Act (PDPA) is a baseline for data protection in Singapore. It includes sector-specfic frameworks such as banking and insurance. The Act comprises of requirements concerning collection, use, disclosure and care of personal data.

https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act

Last reviewed: 31 January 2022


Slovakia

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and sets mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activies and require consent, anonymise collected data, safely handle the transfering of data across borders, and assign a Data Protection Officer to an organisation.

In the summer of 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Slovenia

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and sets mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activies and require consent, anonymise collected data, safely handle the transfering of data across borders, and assign a Data Protection Officer to an organisation.

In the summer of 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

 

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Solomon Islands

We have not yet completed this entry.
Ask for this information to be completed.


Somalia

We have not yet completed this entry.
Ask for this information to be completed.


South Africa

The Protection of Personal Information Act (POPIA) is the primary law behind personal privacy and data processing in South Africa. The primary purpose is to promote the protection of personal information by public and private bodies, introduce certain conditions as minimum requirements for the processing of personal data, issue codes of conduct, decision-making in unsolicited electronic communications, and regulate the flow of personal information across the borders.

https://popia.co.za/

Last reviewed: 31 January 2022


South Sudan

We have not yet completed this entry.
Ask for this information to be completed.


Spain

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Sri Lanka

We have not yet completed this entry.
Ask for this information to be completed.


Sudan

We have not yet completed this entry.
Ask for this information to be completed.


Suriname

We have not yet completed this entry.
Ask for this information to be completed.


Sweden

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Switzerland

A new ordinance on the Federal Act on Data Protection comes into effect in 2022 or 2023. There are no official published texts as of January 2022 in English with the revised FADP. The link above is the current "old" act.

https://www.fedlex.admin.ch/eli/cc/1993/1945_1945_1945/en

Last reviewed: 31 January 2022

Syria

We have not yet completed this entry.
Ask for this information to be completed.


T

Taiwan

Taiwan's Personal Data Protection Act (PDPA) is enacted to regulate the collection, processing, and use of personal data. Government and non-government agencies are required to notify the data subject about the purposes of data collection, use of data, and the subject's rights.

https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=I0050021

Last reviewed: 31 January 2022


Tajikistan

We have not yet completed this entry.
Ask for this information to be completed.


Tanzania

We have not yet completed this entry.
Ask for this information to be completed.


Thailand

The Personal Data Protection Act 2019 (PDPA) is the first law governing Thailand's data protection. The PDPA requires compliance with the principle of data minimisation and insurance of accurate and complete data. The PDPA comes into effect in June 2022

https://www.dataguidance.com/sites/default/files/entranslationofthepersonaldataprotectionact_0.pdf

Last reviewed: 31 January 2022


 

The Netherlands

General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

Last reviewed: 31 January 2022


Timor-Leste

We have not yet completed this entry.
Ask for this information to be completed.


Togo

We have not yet completed this entry.
Ask for this information to be completed.


Trinidad and Tobago

We have not yet completed this entry.
Ask for this information to be completed.


Tunisia

We have not yet completed this entry.
Ask for this information to be completed.


Turkey

Please ensure you have an in-browser translation to view this link in English.

Turkey has the Personal Data Protection Law. Its purpose is to protect a person's fundamental rights and freedoms, particularly with the right to privacy and the principles and procedures of processing data. The primary purposes of the law are to give specific and informed consent and the anonymisation of personal data.

https://www.kvkk.gov.tr/Icerik/6649/Personal-Data-Protection-Law

Last reviewed: 31 January 2022


Turkmenistan

We have not yet completed this entry.
Ask for this information to be completed.


Tuvalu

We have not yet completed this entry.
Ask for this information to be completed.


U

Uganda

We have not yet completed this entry.
Ask for this information to be completed.


Ukraine

Please ensure you have an in-browser translation to view these links in English.

The laws and regulations that oversee data protection in Ukraine include the Law of 1 June 2010 No. 2997-VI on Personal Data Protection, which regulates personal data processing, and the Law of 23 February 2012 No. 4452-VI and 20 November 2012 No. 5491-VI.

The principles of these laws and regulations concern openness and transparency, accuracy, and data minimisation.

https://zakon.rada.gov.ua/laws/show/2297-17#Text

Amendments to the Law on Personal Data Protection: https://zakon.rada.gov.ua/laws/show/5491-17#Text

Last reviewed: 31 January 2022


United Arab Emirates (UAE)

United Arab Emirates (UAE) have issued the Federal Decree-Law No.45 of 2021 on the Protection of Personal Data Protection (PDPL). The Law covers the processing of personal data belonging to subjects within the UAE, regardless of the location of the data controller or processor.

https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws

https://www.wam.ae/en/details/1395302997239

Last reviewed: 31 January 2022


United Kingdom

The United Kingdom is not a member of the European Union (EU), although it is still governed mainly by the EU's General Data Protection Regulation (GDPR) (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en).

However, a UK-specific standard template contract, the International Data Transfer Agreement (IDTA), will govern data transfers and replace the current European Union Standard Contractual Clauses (SCCs) when the data is collected in the UK. There may also be an Addendum to the new EU SCCs to make them compatible with transfers from the UK to third countries when the data is collected in the EU.

The expected timeframes are as follows:

April 2022: UK IDTA templates are published and come into force
January 2024: EU SCCs can no longer be used

GDPR requirements set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.

https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/

Last reviewed: 31 January 2022


Uruguay

We have not yet completed this entry.
Ask for this information to be completed.


United States

There is no singular federal law that covers the privacy of all types of data in the United States. However, there is a mixture of laws that target specific types of data in exceptional circumstances.

For example, the Federal Trade Commission Act can investigate violations of privacy policies.

There are sector-specific laws concerning privacy with banks (GLBA), healthcare (HIPAA), and educational privacy (FERPA).

There are currently three states with active privacy laws: California (California Consumer Privacy Act; California Privacy Rights Act effect. 2023), Colorado (SB 190), and Virginia (Consumer Data Protection Act).

The International Association of Privacy Professionals offers a tool to help track US State Privacy Legislation.

Federal Trade Commission Act: https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act

California Consumer Privacy Act of 2018: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5

Colorado Senate Bill 190: https://legiscan.com/CO/drafts/SB190/2021

Virginia Consumer Data Protection Act: https://lis.virginia.gov/cgi-bin/legp604.exe?ses=212&typ=bil&val=sb1392

Gramm Leach Billy Act (GLBA): https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act

Health Information Portability and Accountability Act (HIPAA): https://www.hhs.gov/hipaa/index.html

Family Educational Rights and Privacy (FERPA): https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html

IAPP US State Privacy Legislation Tracker: https://iapp.org/resources/article/us-state-privacy-legislation-tracker/

Last reviewed: 31 January 2022


Uzbekistan

We have not yet completed this entry.
Ask for this information to be completed.


V Y Z

Vanuatu

We have not yet completed this entry.
Ask for this information to be completed.


Venezuela

We have not yet completed this entry.
Ask for this information to be completed.


Vietnam

We have not yet completed this entry.
Ask for this information to be completed.


Yemen

We have not yet completed this entry.
Ask for this information to be completed.


Zambia

We have not yet completed this entry.
Ask for this information to be completed.


Zimbabwe

We have not yet completed this entry.
Ask for this information to be completed.


Something missing?
We’d be delighted to work on it!

Let us know what you need, and we’ll send the information across as soon as it’s ready.