Data Privacy Law Directory
for Global Researchers.
Countries around the globe are implementing rapid and continuous legal reform in response to digitisation.
This resource is designed to assist global researchers and legal teams in sourcing information on data privacy laws, as a first step towards ensuring compliance of data gathering activities with market regulations.
This directory is intended as signposting only. Where possible, we have provided official government website links and publications.
Legal Disclaimer
Empower is not responsible for the content of the links provided in this directory, the accuracy of the summaries provided, or the results of the interpretation of any content in this directory.
A
The Abu Dhabi Global Market (ADGM) is a financial free zone within the United Arab Emirates. It is a Federation composed of seven Emirates. The Financial Free Zone means that federal civil and commercial law does not apply and it is able to reate its own legal framework. The Data Protection Regulation of 2021 governs the process of personal data by people operating in the Free Zone.
https://www.adgm.com/operating-in-adgm/office-of-data-protection/guidance
Last reviewed: 31 January 2022
Albanian law's personal data protection constitutes a fundamental right, as established in Article 35 of the Albanian Constitution. Data protection has undergone continuous amendments to align more closely with the European Union's General Data Protection Regulation (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en).
Albanian Law No. 9887 dated 10.03.2008 defines the scope of personal data and its processing. It includes data controllers both established in Albania and data controllers who are not established but exercise their activity using any tools or means within Albania.
https://www.idp.al/wp-content/uploads/2016/11/lawdataprotection_new-2 - Link doesn’t work
2016 amendments (Albanian only): https://www.gjk.gov.al/web/kushtetutaeintegruarmendryshimete20161648.pdf
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
Law No. 18-07 establishes general personal data protection requirements such as express consent, data processing notifications, data subject rights, restrictions on direct marketing and data transfers. Notably, Law No. 18-07 provides significant potential penalties, including possible imprisonment for between two to five years.
In addition, an e-commerce law was enacted May 10, 2018, Law No. 18-05 of 24 Chaâbane 1439, relating to electronic commerce. Law 18-05 sets out further protections for e-consumers, regulates cross-border e-commerce, and details advertising-related obligations electronically.
In broad terms, although these new laws have been introduced, there is little information released publicly in Algeria on the enforcement of data protection or official guidance on compliance.
Copy of Law 18-07 (in French only): https://www.joradp.dz/FTP/JO-FRANCAIS/2018/F2018034.pdf
Official site for Law 18-05: https://www.commerce.gov.dz/reglementation/loi-n-deg-18-05
https://cms.law/en/int/expert-guides/cms-expert-guide-to-data-protection-and-cyber-security-laws/algeria
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
The Data Protection Act of Argentina sets the main principles and rules for protecting personal data, while the Decree 1160/2010 provides additional regulations for implementation. The main principles concern transparency, accuracy, access rights, confidentiality, and accountability. Please ensure you have an in-browser translation to view both links in English.
http://servicios.infoleg.gob.ar/infolegInternet/anexos/60000-64999/64790/norma.htm
Decree: http://servicios.infoleg.gob.ar/infolegInternet/anexos/170000-174999/170508/norma.htm
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
The Privacy Act of 1988 is the main piece of legislation in Australia concerning protecting the handling of personal information about individuals. This includes collecting, storing, and disclosing personal information in the federal and private sectors.
https://www.ag.gov.au/rights-and-protections/privacy
Last reviewed: 31 January 2022
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
B
We have not yet completed this entry.
Ask for this information to be completed.
Data protection in Bahrain is mainly governed by the Personal Data Protection Law No. (30) of 2018. Its principles mainly concern data quality control and anonymisation of data.
http://www.pdp.gov.bh/en/regulations.html
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
The Brazilian General Data Protection Law (LGDB), Law No. 13,709, applies to any data processing carried out by either a person or public or private entity, regardless of where that entity is located. It sets out ten principles concerning the processing of personal data, including consent of the holder, anonymisation of data, and protection of the holder. Please ensure you have an in-browser translation to view the website in English.
http://www.planalto.gov.br/ccivil03/Ato2015-2018/2018/Lei/L13709.htm
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
C
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
Canada has two federal privacy laws: the Privacy Act, which covers how the federal government handles personal information, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which protects how businesses handle personal information.
PIPEDA sets out the rules for how private-sector organisations collect, use, and disclose personal information in terms of for-profit, commercial activities. It also applies to employees' personal data in federally regulated businesses such as banks, airlines, and telecommunications companies.
Each province and territory also has its laws regarding the handling of information, which in some cases may apply instead of PIPEDA.
https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/0205d_15/
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
Law No.19.628 Protection of Private Life is the primary law concerning data privacy. However, a new bill has been introduced to consider regulating the protection and treatment of personal data. The Law stipulates that personal data may only be processed if law permits or based on the subject's prior informed, written consent. Currently, the bill would look more into processing personal data, regulation on international data transfers, and introducing a data protection authority. Please ensure you have an in-browser translation to view both links in English.
Law 19.628: https://www.bcn.cl/leychile/navegar?idNorma=141599
Proposed Bill: https://www.camara.cl/legislacion/ProyectosDeLey/tramitacion.aspx?prmID=11661&prmBoletin=11144-07
Last reviewed: 31 January 2022
Please ensure you have an in-browser translation to view the link in English.
The Personal Information Protection Law (PIPL) is China's first comprehensive data protection law based on China's Constitution.
The PIPL has what is known as extraterritorial effect and will apply to the following processing activities:
- processing, within China, of personal information of natural persons;
- processing, outside of China, of personal information of natural persons who are in China, if such processing is: to provide products or services to natural persons in China; to analyse/evaluate the behaviour of natural persons in China, and other circumstances prescribed by laws and administrative regulations.
http://www.npc.gov.cn/npc/c30834/202108/a8c4e3672c74491a80b53a172bb753fe.shtml
Last reviewed: 31 January 2022
Please ensure you have an in-browser translation to view these links in English.
The protection of personal data is a constitutional right in Colombia. Colombia's Congress enacted a Statutory law (Law No. 1266 of 2008) that establishes provisions on data and management on information contained in personal databases. Another law was passed (Law 1581 of 2012) to develop the constitutional right that all people have to know, update and rectify the information that has been collected about them.
Constitution of Colombia: https://www.constituteproject.org/constitution/Colombia_2015.pdf?lang=en
Law 1266 of 2008: https://www.alcaldiabogota.gov.co/sisjur/normas/Norma1.jsp?i=34488
Law 1581 of 2012: https://www.alcaldiabogota.gov.co/sisjur/normas/Norma1.jsp?i=49981
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
D
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
E
We have not yet completed this entry.
Ask for this information to be completed.
European Union (EU) General Data Protection Regulation (GDPR) is incorporated into the EEA Agreement. Controllers or processors of personal data established in an EEA State are subject to the obligations laid down in EU legislation. Their compliance is monitored by each EEA state's independent data protection authority.
https://www.efta.int/EEA/Data-Protection-505036
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In the summer of 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
F
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
G
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
H
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
Hong Kong's Personal Data (Privacy) Ordinance (Cap. 486) has been in place for several years. It was strengthened in 2021 primarily as a result of social media concerns.
It aims to protect the privacy of individuals about personal data and regulate the collection/holding/processing/use of the data based on a set of data protection principles.
https://www.elegislation.gov.hk/hk/cap486
Last reviewed: 31 January 2022
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
I
Iceland is an EEA member and therefore governed by the European Union's General Data Protection Regulation (GDPR) (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en).
GDPR regulations are incorporated into the EEA Agreement. Controllers or processors of personal data established in an EEA State are subject to the obligations laid down in EU legislation. Their compliance is monitored by the independent data protection authority of each EEA state.
Last reviewed: 31 January 2022
The Constitution of India recognises a fundamental right to privacy. Generally, other data protection requirements fall under multiple sources of Acts and boards, including Information Technology Act 2000, Information Technology Rules 2011, Consumer Protection Act 2019, and Consumer Protection Rules 2020.
Constitution: https://legislative.gov.in/constitution-of-india
IT Rules 2011: https://www.dataguidance.com/sites/default/files/in098en.pdf
IT Act 2000: https://hyderabadpolice.gov.in/acts/ITAct2000-2008(amendment).pdf
IT Rules 2011: https://www.dataguidance.com/sites/default/files/in098en.pdf
Consumer Protection Act 2019: http://164.100.47.193/BillsPDFFiles/Notification/2019-144-gaz.pdf
Consumer Protection Rules 2020: https://consumeraffairs.nic.in/sites/default/files/E%20commerce%20rules.pdf
Last reviewed: 31 January 2022
There is currently no general data protection law in Indonesia. As of January 2022, a draft of the Personal Data Protection Act is now going through the Indonesian Parliament.
However, there are provisions governing personal data protection specifically within the realm of electronic systems and ESPS within Law No. 11 of 2008 on Electronic Information and Transactions.
Last reviewed: 31 January 2022
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
To view these links in English, please ensure you have in-browser translation.
Italy is governed by the European Union's General Data Protection Regulation (GDPR) (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en), but also sets its own guidelines with the Italian Data Protection Authority.
GDPR has some implications of the law on privacy and data protection including:
- informing citizens and customers of your activies and requiring consent;
- anonymising collected data;
- safely handling the transferral of data across borders;
- and assigning a Data Protection Officer to an organisation.
Additional 2022 guidelines in Italy include the precision of what Consent is and how to collect it, how your agency handles cookies, and validity and proof of consent.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
https://www.gpdp.it/regolamentoue
https://www.gpdp.it/temi/cookie
Last reviewed: 31 January 2022
Data protection in Israel is governed mainly by the Protection of Privacy law 5741-1981 and its regulations. The law covers the collection and use of personal/sensitive data, rights and obligations of parties collecting and using data, and individual rights on how data is used.
https://www.gov.il/en/Departments/legalInfo/legislation
Last reviewed: 31 January 2022
J
We have not yet completed this entry.
Ask for this information to be completed.
Japan has a recently amended act called the Act on the Protection of Personal Information (June 2020) that is in effect from April 2022. This Act sets forth measures of protecting personal information, listing the responsibilities of data users, handling of data and how it is utilised.
https://www.ppc.go.jp/en/legal/
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
K
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
Please ensure you have an in-browser translation to view the link in English.
The primary law and regulations related to data protection in South Korea are within the Personal Information Protection Act 2011 (amended in 2020). Specific principles that apply to data handlers in the Act include:
- explicitly of purposes of the process;
- insurance of accurate and complete data;
- handling data safely;
- disclosure of privacy policy;
- and anonymisation of data.
https://elaw.klri.re.kr/kor_service/lawView.do?hseq=53044&lang=ENG
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
L
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
GDPR regulations are incorporated into the EEA Agreement. Controllers or processors of personal data established in an EEA State are subject to the obligations laid down in EU legislation. Their compliance is monitored by each EEA state's independent data protection authority.
https://www.efta.int/EEA/Data-Protection-505036
Last reviewed: 31 January 2022
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
M
The Republic of North Macedonia regulates personal data protection issues with the Law on Personal Data Protection, no. 42/20, “DP Law”, effective 24th February 2020. It is available only in Macedonian as a PDF on the link above.
The DP Law is primarily harmonised with the European Union's General Data Protection Regulation (GDPR) (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en). More information is available on the link above to the unofficial website 'DLA Piper Data Protection'.
https://www.dlapiperdataprotection.com/index.html?t=law&c=MKhttps://dzlp.mk/sites/default/files/u4/zakonzazastitanalicnite_podatoci.pdf
Example of a privacy policy on official government website: https://vlada.mk/node/25224?ln=en-gb
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
In Malaysia, the Personal Data Protection Act 2010 (PDPA) is the primary legislation concerning data protection. This Act sets out rules on:
- notifying the data subject;
- data disclosure;
- data security;
- data retention;
- and data integrity.
https://www.kkmm.gov.my/pdf/Personal%20Data%20Protection%20Act%202010.pdf
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
Please ensure you have an in-browser translation to view this link in English.
The general data protection law in Mexico is the Federal Law for the Protection of Personal Data in possession of Private Parties (LFPDPPP). The Rules of the Federal Law supplement it for the Protection of Personal Data in control of Private Parties ("Regulation") and Guidelines on Privacy Notices ("Guidelines") set out by the Institute for Access to Information and Protection of Personal Data (INAI).
The Law, "Regulations", and "Guidelines" covers all individuals and legal entities in the private sector involved in processing personal data. The processing of personal data must be carried out with the general data protection principles in mind: legality, consent, information, data quality, purpose specification, loyalty, proportionality, and accountability.
http://www.dof.gob.mx/nota_detalle.php?codigo=5469949&fecha=26/01/2017
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
N
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
https://data.govt.nz/toolkit/privacy-and-security/data-privacy/
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
Norway is an EEA member and therefore governed by the European Union's General Data Protection Regulation (GDPR) (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en).
GDPR regulations are incorporated into the EEA Agreement. Controllers or processors of personal data established in an EEA State are subject to the obligations laid down in EU legislation. Their compliance is monitored by each EEA state's independent data protection authority.
https://www.efta.int/EEA/Data-Protection-505036
Last reviewed: 31 January 2022
O
We have not yet completed this entry.
Ask for this information to be completed.
P
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
The Data Privacy Act of 2012 (Republic Act 10173) is the Philippines' governing law on data privacy. The main principles of this Act include:
- collection must be declared and specified for a legitimate purpose;
- all data should be processed fairly and lawfully;
- insurance of data quality;
- processing should be safeguarded, and data should not be retained for longer than necessary.
https://www.privacy.gov.ph/data-privacy-act/
Last reviewed: 31 January 2022
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
Q
We have not yet completed this entry.
Ask for this information to be completed.
R
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
Please ensure you have an in-browser translation to view the link in English.
The Federal Law on Personal Data in Russia (Federal Law of 27 July 2006 N 152-FZ on Personal Data) is the country's foundation law on data processing.
New amendments have been made recently to the law, including introducing content-based restrictions for all organisations on collecting and disseminating data. This includes social media and blog posts.
https://pd.rkn.gov.ru/authority/p146/p164/
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
S
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
To view this link in English, please ensure you have in-browser translation.
The Personal Data Protection Law enters into force in March 2022 and is Saudi Arabia's first data protection law. The aim is to ensure privacy of personal data, regulation of data sharing, and prevent abuse of personal data.
https://laws.boe.gov.sa/BoeLaws/Laws/LawDetails/b7cfae89-828e-4994-b167-adaa00e37188/1
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
The Personal Data Protection Act (PDPA) is a baseline for data protection in Singapore. It includes sector-specfic frameworks such as banking and insurance. The Act comprises of requirements concerning collection, use, disclosure and care of personal data.
https://www.pdpc.gov.sg/Overview-of-PDPA/The-Legislation/Personal-Data-Protection-Act
Last reviewed: 31 January 2022
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and sets mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activies and require consent, anonymise collected data, safely handle the transfering of data across borders, and assign a Data Protection Officer to an organisation.
In the summer of 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and sets mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activies and require consent, anonymise collected data, safely handle the transfering of data across borders, and assign a Data Protection Officer to an organisation.
In the summer of 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
The Protection of Personal Information Act (POPIA) is the primary law behind personal privacy and data processing in South Africa. The primary purpose is to promote the protection of personal information by public and private bodies, introduce certain conditions as minimum requirements for the processing of personal data, issue codes of conduct, decision-making in unsolicited electronic communications, and regulate the flow of personal information across the borders.
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
A new ordinance on the Federal Act on Data Protection comes into effect in 2022 or 2023. There are no official published texts as of January 2022 in English with the revised FADP. The link above is the current "old" act.
https://www.fedlex.admin.ch/eli/cc/1993/1945_1945_1945/en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
T
Taiwan's Personal Data Protection Act (PDPA) is enacted to regulate the collection, processing, and use of personal data. Government and non-government agencies are required to notify the data subject about the purposes of data collection, use of data, and the subject's rights.
https://law.moj.gov.tw/ENG/LawClass/LawAll.aspx?pcode=I0050021
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
The Personal Data Protection Act 2019 (PDPA) is the first law governing Thailand's data protection. The PDPA requires compliance with the principle of data minimisation and insurance of accurate and complete data. The PDPA comes into effect in June 2022
https://www.dataguidance.com/sites/default/files/entranslationofthepersonaldataprotectionact_0.pdf
Last reviewed: 31 January 2022
General Data Protection Regulation (GDPR) requirements apply to each member state of the European Union and set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
In 2021, the European Commission published Standard Contractual Clauses (SCCs) for data transfer between EU and non-EU countries.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
Please ensure you have an in-browser translation to view this link in English.
Turkey has the Personal Data Protection Law. Its purpose is to protect a person's fundamental rights and freedoms, particularly with the right to privacy and the principles and procedures of processing data. The primary purposes of the law are to give specific and informed consent and the anonymisation of personal data.
https://www.kvkk.gov.tr/Icerik/6649/Personal-Data-Protection-Law
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
U
We have not yet completed this entry.
Ask for this information to be completed.
Please ensure you have an in-browser translation to view these links in English.
The laws and regulations that oversee data protection in Ukraine include the Law of 1 June 2010 No. 2997-VI on Personal Data Protection, which regulates personal data processing, and the Law of 23 February 2012 No. 4452-VI and 20 November 2012 No. 5491-VI.
The principles of these laws and regulations concern openness and transparency, accuracy, and data minimisation.
https://zakon.rada.gov.ua/laws/show/2297-17#Text
Amendments to the Law on Personal Data Protection: https://zakon.rada.gov.ua/laws/show/5491-17#Text
Last reviewed: 31 January 2022
United Arab Emirates (UAE) have issued the Federal Decree-Law No.45 of 2021 on the Protection of Personal Data Protection (PDPL). The Law covers the processing of personal data belonging to subjects within the UAE, regardless of the location of the data controller or processor.
https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws
https://www.wam.ae/en/details/1395302997239
Last reviewed: 31 January 2022
The United Kingdom is not a member of the European Union (EU), although it is still governed mainly by the EU's General Data Protection Regulation (GDPR) (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en).
However, a UK-specific standard template contract, the International Data Transfer Agreement (IDTA), will govern data transfers and replace the current European Union Standard Contractual Clauses (SCCs) when the data is collected in the UK. There may also be an Addendum to the new EU SCCs to make them compatible with transfers from the UK to third countries when the data is collected in the EU.
The expected timeframes are as follows:
April 2022: UK IDTA templates are published and come into force
January 2024: EU SCCs can no longer be used
GDPR requirements set mandatory rules for how organisations and companies must use personal data. Some of the implications of the law on privacy and data protection include: informing citizens and customers of your activities and requiring consent, anonymising collected data, safely handling the transfer of data across borders, and assigning a Data Protection Officer to an organisation.
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
There is no singular federal law that covers the privacy of all types of data in the United States. However, there is a mixture of laws that target specific types of data in exceptional circumstances.
For example, the Federal Trade Commission Act can investigate violations of privacy policies.
There are sector-specific laws concerning privacy with banks (GLBA), healthcare (HIPAA), and educational privacy (FERPA).
There are currently three states with active privacy laws: California (California Consumer Privacy Act; California Privacy Rights Act effect. 2023), Colorado (SB 190), and Virginia (Consumer Data Protection Act).
The International Association of Privacy Professionals offers a tool to help track US State Privacy Legislation.
Federal Trade Commission Act: https://www.ftc.gov/enforcement/statutes/federal-trade-commission-act
California Consumer Privacy Act of 2018: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
Colorado Senate Bill 190: https://legiscan.com/CO/drafts/SB190/2021
Virginia Consumer Data Protection Act: https://lis.virginia.gov/cgi-bin/legp604.exe?ses=212&typ=bil&val=sb1392
Gramm Leach Billy Act (GLBA): https://www.ftc.gov/tips-advice/business-center/privacy-and-security/gramm-leach-bliley-act
Health Information Portability and Accountability Act (HIPAA): https://www.hhs.gov/hipaa/index.html
Family Educational Rights and Privacy (FERPA): https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html
IAPP US State Privacy Legislation Tracker: https://iapp.org/resources/article/us-state-privacy-legislation-tracker/
Last reviewed: 31 January 2022
We have not yet completed this entry.
Ask for this information to be completed.
V Y Z
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.
We have not yet completed this entry.
Ask for this information to be completed.