Support Centre

Global Privacy Directory

  • There is a general data protection law/regulator in place.
  • Click to view information for additional detail.
  • There is no general data protection law/regulator in place.
Compare Reset
    title
  • Law in Force
  • Draft Law
  • Regulator
  • Afghanistan

    No further information currently available.

  • Albania

    Law: Law on the Protection of Personal Data No. 9887 of 10 March 2008 (as amended)
    Data Controller: The natural or legal person, public authority, agency or any other body, which alone or jointly with others determines the purposes and means of processing of personal data, in compliance with the laws and applicable secondary legislation, responsible for the fulfilment of obligations defined by the law provisions. 
    Data Processor: A natural or legal person, public authority, agency or other body, which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. 
    Regulator: Office of the Information and Data Protection Commissioner ('IDP')

  • Alberta

    Law: Personal Information Protection Act, SA 2003 c P-6.5 ('PIPA')
    Data Controller | Data Processor: There is no definition of data controller or data processor within PIPA. In particular, PIPA is applicable to every organisation and in respect of all personal information, apart from public bodies or information in the custody or control of a public body. Moreover, PIPA does not apply to the collection, use or disclosure of personal information for personal or domestic, artistic or literary, journalistic or certain other purposes. 
    Personal Data: Information about an identifiable individual. 
    Regulator: Office of the Information and Privacy Commissioner of Alberta ('OIPC')

  • Algeria

    Law: Law No. 18-07 of 25 Ramadhan 1439 Corresponding to June 10, 2018 Relating to the Protection of Individuals in the Processing of Personal Data (only available in French here)
    Data Controller: Any natural or legal person, public or private, or any other entity which, alone or together with others, determines the purposes and means of data processing.
    Data Processor: Any natural or legal person, public or private or any other entity that processes personal data on behalf of the data controller.
    Personal Data: Any information, whatever its medium, concerning an identified or identifiable person ('data subject') directly or indirectly, in particular by reference to a number of identification or to one or more specific elements of his/her physical, physiological, genetic, biometric, psychic, economic, cultural or social identity.
    Regulator: The Law provides that an independent Algerian data protection authority is established within the office of the President of the Republic of Algeria.

  • Andorra

    Law: Qualified Act 15/2003, of 18 December, of Personal Data Protection
    Data Controller: A 'processing manager' is the individual or legal persona, whether of a public or private nature, with decision over personal data processing and the means used for this processing, and which oversees that the intended purposes of the processing correspond to those specified in the rule or decision to create the file. 
    Data Processor: A 'supplier of personal data services' is the individual or legal persona, of a public or private nature, which processes the data for the account of the processing manager, or accesses the personal data in order to supply a service in favour of or under the control of the processing manager, provided that the data accessed are not used for its own purposes, and are not made available outside the instructions received or for purposes other than the service to be supplied to the manager. 
    Personal Data: All information relating or linked to identified or identifiable individuals. 
    Regulator: Andorran data protection authority ('APDA')

  • Angola

    Law: Law No. 22/11 on the Protection of Personal Data ('the Law') (only available in Portuguese here)
    Data Controller: Any natural or legal person that determines the purposes for which personal data is to be processed and the means through which this will be done. 
    Data Processor: A natural or legal person that processes personal data on behalf of a data controller. 
    Personal Data: Any information, regardless of its nature or the media on which it is stored, relating to an identifiable natural person (referred to as 'the data subject'). Natural persons are deemed to be identifiable whenever they can be directly or indirectly identified through such information. 
    Regulator: The President of Angola passed, on 10 October 2016, Decree No. 214/16 that establishes the organisational framework of the data protection authority.  The Ministry of Telecommunications and Information Technology ('MTTI') announced, on 9 October 2019, that the Data Protection Agency ('APD') had become operational.

  • Antigua and Barbuda

    Law: Data Protection Act, 2013 
    Data Controller: A 'data user' is defined as a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorises the processing of any personal data. 
    Data Processor: There is no definition of data processor in the Act, other than to say that it does not fall under the definition of data user. 
    Personal Data: Any information in respect of commercial transactions, which (a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject. 
    Regulator: According to the Act, the regulator is the Information Commissioner ('the Commissioner') established under the Freedom of Information Act 2004. A Commissioner was appointed in 2012. However, though the Freedom of Information Act states that the Commissioner shall hold office for a term of three years and may be re-appointed for a further term of three years, there is currently no information available as to whether this occurred.

  • Argentina
    • Discussing

    Law: Personal Data Protection Act, Act No. 25.326 of 2000 ('the Act') and Decree No. 1558/2001 Regulating Law No. 25.326 (only available in Spanish here)*.
    Data Controller: There is no definition of data controller within the Act. However, 'the person responsible for a data file, register, bank or database' is defined as the natural person or legal entity, whether public or private, that owns a data file, register, bank or database. Moreover, 'data user' is defined as any person, whether public or private, performing at their discretion the processing of data contained in data files, registers, databases or databanks, whether owned by them or to which they may have access through a connection. 
    Data Processor: There is no definition of data processor within the Act. However, Article 10 of the Act states that any persons who take part in any phase of the processing of personal data are bound to professional secrecy. 
    Personal Data: Information of any kind referred to certain or ascertainable natural persons or legal entities. 
    Regulator: Argentinian data protection authority ('AAIP').

    *The AAIP announced, on 20 September 2018, that the President of the Argentine Republic, Mauricio Macri, had sent a draft data protection bill (only available in Spanish here) to the National Congress of Argentina for consideration. You can find further information here.

  • Armenia

    Law: Law of the Republic of Armenia of 13 June 2015 No. 49-ZR on the Protection of Personal Data ('the Law')
    Data Controller | Data Processor: There is no definition of either data controller or data processor in the Law. A 'personal data processor' is a state administration or local self-government body, state or community institution or organisation, legal or natural person, which organises and/or carries out processing of personal data. 
    Personal Data: Any information relating to a natural person, which allows or may allow for the direct or indirect identification of a person's identity. 
    Regulator: The Agency for Personal Data Protection of the Ministry of Justice of the Republic Armenia ('PDPA') is responsible for oversight of data protection legislation. The PDPA does not have its own website. The Ministry of Justice's website can be found here.

  • Aruba

    Law: National Ordinance of May 19, 2011 Laying Down New Rules for the Protection of Privacy in Connection with the Recording and Dissemination of Personal Data (only available in Dutch here).
    Data Controller: A 'holder' is a person who has control over the personal information. 
    Data Processor: The person who has in their possession all or a portion of the equipment that allows the processing of personal data of which he is not the owner. 
    Personal Data: Information that is traceable to an individual natural person. 
    Regulator: The Ordinance does not create a regulatory authority. 

  • Australia - Federal

    Law: Privacy Act 1988 (as amended) ('the Privacy Act')
    Data Controller | Data Processor: There is no distinction between a data controller and a data processor. The Act applies to entities covered by the Australian Privacy Principles, under Schedule 1 of the Act. 
    Personal Data:  Any information or an opinion about an identified individual or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not. The information or opinion itself does not have to identify the individual or the individual does not need be reasonably identifiable from that information or opinion only, but includes where an individual is reasonably identifiable by other means or from other information reasonably obtainable.
    Regulator: Office of the Australian Information Commissioner ('OAIC')

  • Australia - New South Wales

    Law: Privacy and Personal Information Protection Act 1998 No. 133 ('the Act'). Please note that the Act only applies to public bodies. Private organisations are subject to the federal Privacy Act 1988. 
    Regulator: Information and Privacy Commission ('IPC')

  • Australia - Queensland

    Law: Information Privacy Act 2009 ('the Act'). Please note that the Act only applies to public bodies. Private organisations are subject to the federal Privacy Act 1988. 
    Regulator: Office of the Information Commissioner ('OIC')

  • Australia - South Australia

    Law: Information Privacy Principles Instruction No.1 of 1989 as re-issued ('the Instruction'). Please note that the Instruction only applies to public bodies. Private organisations are subject to the federal Privacy Act 1988. 
    Regulator: Privacy Committee of South Australia ('PCA')

  • Australia - Tasmania

    Law: Personal Information Protection Act 2004 (No. 46 of 2004) ('the Act'). Please note that the Act only applies to public bodies. Private organisations are subject to the federal Privacy Act 1988. 
    Regulator: The Office of the Ombudsman ('the Ombudsman')

  • Australia - Victoria

    Law: Privacy and Data Protection Act 2014 (No. 60 of 2014) ('the Act'). Please note that the Act mainly applies to public bodies. Applicability to the private sector, is limited to contracted service providers, but only in relation to the provision of services under State contracts containing provisions of a kind referred to in Section 17(2) of the Act. 
    Regulator: The Office of the Victorian Information Commissioner ('OVIC') 

  • Australia - Western Australia

    Law: Freedom of Information Act 1992 (No. 76 of 1992) ('the Act'). Please note that the Act only applies to public bodies. Private organisations are subject to the federal Privacy Act 1988. 
    Regulator: Office of the Information Commissioner ('OIC')

  • Austria

    Law: Federal Act on the Protection of Individuals With Regard to the Processing of Personal Data (Data Protection Act (DSG) BGBI. I No. 165/1999) (last amended in 2019) and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    Regulator: Austrian data protection authority ('DSB')

  • Azerbaijan

    Law: Law of 11 May 2010 No. 998-IIIQ on Personal Data (only available in Azerbaijani here).
    Data Controller: A 'personal data owner' is a state or local self-governing body, natural or legal person which defines the purpose or objectives of the personal data processing, and reserves the full possession, use and disposal of exercising their rights in relation to data on an information system under the personal data legislation. 
    Data Processor: A 'personal data operator' is an owner of personal data, a state or local self-governing body, natural or legal person, carrying out personal data collection, and the processing and protection of personal data, on terms determined by the owner or his or her delegate. 
    Personal Data: Any information that directly or indirectly allows for the determination of the identity of the person. Additionally, this may include a data subject's name, surname, father's name, date and place of birth, sex, nationality, phone number and email address, place of residence, profession and place of work, type of activities, marital status, photograph and other information. 
    Regulator: Ministry of Transport, Communications and High Technologies.

  • Azores
    • Drafted

    Law:  Draft Act 67/98 of 26 October on the Protection of Personal Data and the General Data Protection Regulation (Regulation (EU) 2016/679)*
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    Regulator: Portuguese data protection authority ('CNPD')

    *Azores form part of the outermost region and as such they are an integral part of the European Union. However, please note that the applicability of the above mentioned laws may be subject to variations. You can find further information here.

  • Bahamas

    Law: Data Protection (Privacy of Personal Information) Act 2003
    Data Controller: A person who, either alone or with others, determines the purposes for which and the manner in which any personal data are, or are to be, processed. 
    Data Processor: A person who processes personal data on behalf of a data controller but does not include an employee of a data controller who processes such data in the course of his employment. 
    Personal Data: Data relating to a living individual who can be identified either from the data or from the data in conjunction with other information in the possession of the data controller. 
    Regulator: The Data Protection Commissioner

  • Bahrain

    Law: Law No. (30) of the Year 2018 Issuing a Law on the Protection of Personal Data (only available in Arabic here) ('the Law')
    Data Controller: A person who, either alone or jointly or in common with other persons, determines the purposes and means of the processing of certain personal data. Where such purposes and means are established by law, the person responsible for the obligation to perform processing shall be the data controller
    Data Processor: Any person, other than an employee of the data controller or data processor, who processes the data for and on behalf of the data controller
    Personal Data: Any information, in any form, of an identified or identifiable individual, whether directly or indirectly, particularly through their personal identification number, or one or more of their formal, physiological, intellectual, cultural, economic or social identity. In order to determine whether an individual is capable of being identifiable or not, all means used by or available to the data controller or any other person shall be taken into consideration
    Regulator: As per Resolution No. 78 of 2019 published in the Official Gazette, on 3 October 2019, the Ministry of Justice and Islamic Affairs shall exercise the duties of the Data Protection Authority.

  • Bangladesh

    No further information currently available.

  • Barbados
    • Drafted

     Law: There is no a data protection law in place. However, there is the Data Protection Bill 2018

  • Belarus
    • Drafted

    Law: Law of 10 November 2008 No. 455-W on Information, Informatization and Protection of Information (only available in Russian here) ('the Law on Information')*.
    Data Controller | Data Processor: There is no definition of data controller or data processor under the Law. An 'owner of the information' is a party in information relations who received the rights of an owner on the information on the grounds provided by laws. An 'owner of software and technical means, information resources, information systems and networks' is a party to information relations performing the rights of possession, usage and disposal of respective software and technical means, information resources, information systems and networks. An 'operator of an information system' is a party in information relations operating an information system and (or) providing services with the use of an information system. A 'possessor of software and technical means, information resources, information systems and networks' is a party in information relations performing rights of possession, usage and disposal of respective software and technical means, information resources, information systems and networks within the limitations and in order defined by their owner according to the laws. An 'information intermediary' is a party to information relations providing information services to users and (or) owners of the information. A 'user of an information system and (or) information network' is a party to information relations who has obtained access and is using an information system and (or) information network. A 'user of information' is a party in information relations obtaining, distributing and (or) providing and performing the right to use the information. 
    Personal Data: Basic and additional individual personal data subject to submission to the Population Register under Belarus law, as well as other data enabling the identification of an individual. 
    Regulator: There is no special state regulator for data protection in Belarus. General governance in the sphere of information protection is performed by the President of the Republic of Belarus and the Council of Ministers of the Republic of Belarus that lay down the general requirements and ensure a unified state policy in the sphere of data protection. 

    The National Centre of Legal Information of the Republic of Belarus announced, on 4 July 2018, that the National Centre for Legislation and Legal Studies of the Republic of Belarus had issued a draft law on personal data (only available in Russian here) for public discussion. 

  • Belgium

    Law: Act of 3 December 2017 Establishing the Data Protection Authority, Act of 30 July 2018 on the Protection of Natural Persons with Regard to the Processing of Personal Data and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    Regulator: Data Protection Authority ('DPA')

  • Belize

    No further information currently available.

  • Benin

    Law: Law No. 2009-09 of May 22, 2009 Dealing with the Protection of Personally Identifiable Information
    Data Controller: A 'person in charge of the processing of personally identifiable information' is defined as an individual, the public authority, the office or the entity that determines its finalities and its means. 
    Data Processor: A 'subcontractor' is defined as any person processing personally identifiable information on the behalf of (or under) the person in charge or responsible of the processing. 
    Personal Data: Any information that can identify, distinguish or trace any specific individual or susceptible to be, linked or linkable, such as an identification number or to one or different elements that are particular to that individual. The identification is made with the medium available or one that can be accessible to, the responsible of the processing or any other person. 
    Regulator: Beninese data protection authority ('APDP') 

  • Bermuda

    Law: Personal Information Protection Act 2016 ('PIPA'). Please note that PIPA is not yet applicable as it awaits the appointment of the Privacy Commissioner of Bermuda, and as such, the implementation period for the substantive provisions of PIPA has yet to be confirmed by the Government of Bermuda.
    Data Controller: There is no definition of 'data controller', however, PIPA applies to every organisation that uses personal information in Bermuda where that personal information is used wholly or partly by automated means and to the use other than by automated means of personal information which form, or are intended to form, part of a structured filing system. 
    Data Processor: There is no definition of 'data processor', however, PIPA states that where an organisation engages (by contract or otherwise) the services of a third party in connection with the use of personal information, the organisation remains responsible for ensuring compliance with PIPA at all times. 
    Personal Data: Personal information is defined as any information about an identified or identifiable individual. 
    Regulator: The Privacy Commissioner, provided for under PIPA, has not yet been established.

  • BES Islands

    Law: Act of May 17, 2010 Containing Rules on the Protection of Personal Data of Bonaire, Sint Eustatius and Saba (BES Data Protection Act) (only available in Dutch here).
    Data Controller: The 'responsible party' is the natural or legal person or any other person or administrative body that determines alone, or jointly with others, the purposes and means of processing personal data. 
    Data Processor: The person who processes data on behalf of the data controller, without coming under their direct authority. 
    Personal Data: Any information relating to an identified or identifiable natural person. 
    Regulator: Commission for the Supervision of Data Protection BES ('CBP BES')

  • Bhutan

    Currently, there is no comprehensive data protection law in Bhutan, however, the Information Communications and Media Act of Bhutan 2018 ('the Act') is the key legislation that provides detailed regulation in respect of establishing and protecting personal information.

  • Bolivia

    Currently, there is no general data protection law in Bolivia. However, Articles 21 and 130 of the Bolivian Constitution 2009 guarantee the right to privacy.

  • Bosnia & Herzegovina

    Law: Law on the Protection of Personal Data No. 49/06
    Data Controller: Any public authority, natural or legal person, agency or any other body, which, independently or together with another party, manages, processes and determines the purpose and the manner of personal data processing on the basis of laws or regulations. 
    Data Processor: A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. 
    Regulator: Agency for Personal Data Protection in Bosnia and Herzegovina ('AZLP')

  • Botswana
    • Drafted

    DataGuidance confirmed with Alex B. Makulilo, Professor of Law and Technology at the Open University of Tanzania, that Botswana has drafted the Data Protection Bill 2017.

  • Brazil

    Law: Law No. 13.709 of 14 August 2018, General Personal Data Protection Law (as amended by Law No. 13.853 of 8 July 2019) (only available in Portuguese here) ('LGPD')
    Data Controller: The natural or legal person, public or private, who is responsible for decisions concerning the processing of personal data. 
    Data Processor: The natural or legal person, public or private, who performs the processing of personal data on behalf of the controller. 
    Personal Data: Information concerning an identified or identifiable natural person. 
    Regulator: The Brazilian data protection authority ('ANPD').

    *The LGPD is expected to enter into force in August 2020. 

  • British Columbia

    Law: Personal Information Protection Act, SBC 2003 c 63 ('PIPA')
    Data Controller | Data Processor: There is no definition of data controller or data processor in PIPA. In particular, PIPA is applicable to every organisation and in respect of all personal information, apart from the collection, use or disclosure of personal information for personal or domestic, artistic or literary, journalistic or certain other purposes. 
    Personal Data: Information about an identifiable individual and includes employee personal information, but does not include contact information or work product information. 
    Regulator: Office of the Information and Privacy Commissioner for British Columbia ('OIPC')

  • Brunei Darussalam

    No further information currently available.

  • Bulgaria

    Law: Protection of Personal Data Act 2002 (last amended in 2019) and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: An 'administrator of personal data' is a natural or legal person, as well as a body of state power or local government, that independently or jointly with another person determines the purposes and means of processing personal data. An administrator is also a natural person or a legal person, as well a body of state power or local government processing personal data the type, the purposes and means of processing of which are determined by a law. In such cases the administrator or the specific criteria of his appointment shall be normatively specified.
    Data Processor: A 'person processing personal data' is an individual or a corporate body or a body of state power or a body of local government, which is processing personal data on behalf of the administrator of personal data. 
    Personal Data: Any information related to a natural person, who is identified or may be identified directly or indirectly by an identification number or though one or more specific indices. 
    Regulator: Commission for Personal Data Protection ('CPDP')

  • Burkina Faso

    Law: Law No. 010-2004/AN on the Protection of Personal Data  (only available in French here) ('the Law').
    Data Controller: The 'person responsible for processing' is defined as the natural or legal person, public or private who has the power to decide on the creation of personal data. 
    Data Processor: There is no definition of data processor within the Law. 
    Personal Data: All information, regardless of the form, directly or indirectly, which enables the identification of individuals, including by identification number, or by several specific elements relating to the individual’s physical, physiological, psychical, mental, cultural, social or economic identity. 
    Regulator: The Burkina Faso data protection authority ('CIL')

  • Burundi

    Currently, there is no data protection law in Burundi. However, Articles 468-470 of the Penal Code 2009 (only available in French here) include some provisions related to computer fraud and unlawful modification of data.

  • Cambodia

    No further information currently available.

  • Cameroon

    Currently, there is not any data protection law in Cameroon. However, the Constitution of Cameroon provides that the privacy of all communication is inviolate and no search may be conducted except by virtue of the law. Additionally, Section IV of Law No. 2010/012 of 21 December 2010 on Cybersecurity and Cybercrime in Cameroon (only available in French here) includes provisions on the protection of individuals' privacy, data retention and electronic communications.

  • Canada Federal

    Law: Personal Information Protection and Electronic Documents Act, SC 2000 c 5 ('PIPEDA')
    Data Controller | Data Processor: There is no definition of data controller or data processor in PIPEDA. An 'organisation' that PIPEDA applies to is one that collects, uses or discloses personal information in the course of commercial activities; or, one that collects, uses or discloses personal information about an employee of, or an applicant for employment with, the organisation, in connection with the operation of a federal work, undertaking, or business. 
    Personal Data: Any information referring directly or indirectly to a particular or identified individual. 
    Regulator: Office of the Privacy Commissioner of Canada ('OPC')

  • Canary Islands
    • Drafted

    Law: General Data Protection Regulation (Regulation (EU) 2016/679) and Organic Law 15/1999 of 13 December on the Protection of Personal Data (a consolidated version is only available in Spanish here), Royal Decree-Law 5/2018, of 27 July, on Urgent Measures for the Adaptation of Spanish Law to EU Regulations on Data Protection (only available in Spanish here)*
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Spanish data protection authority ('AEPD')

    *The Canary Islands form part of the outermost region and as such they are an integral part of the European Union. However, please note that the applicability of the above mentioned laws may be subject to variations. You can find further information here.

  • Cape Verde

    Law: Law 133-V-2001 on the Protection of Personal Data
    Data Controller: Any person or group, public authority, the service or any other entity/body that alone or jointly with others determine(s) the purposes or the means for the processing of personal data. 
    Data Processor: Any person or group, a public authority, agency or any other entity/body that processes personal data on behalf of the controller . 
    Personal Data: Any information of any type/nature and irrespective of the medium involved, including sound and image relating to an identified or identifiable person . 
    Regulator: National Commission of Data Protection ('CNPD')

  • Cayman Islands

    Law: The Data Protection Law, 2017 (Law 33 of 2017)
    Data Controller: The person who, alone or jointly with others determines the purposes, conditions and manner in which any personal data are, or are to be, processed. This includes the local representative nominated by a data controller that is not established in the Cayman Islands but that processes personal data in the Cayman Islands other than for the purposes of transit of the data through the Islands. 
    Data Processor: Any person who processes personal data on behalf of a data controller but, for the avoidance of doubt, does not include an employee of the data controller. 
    Personal Data: Data relating to a living individual who can be identified and includes data such as the living individual's location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the living individual; an expression of opinion about the living individual; or any indication of the intentions of the data controller or any other person in respect of the living individual.
    Regulator: Office of the Ombudsman

  • Central African Republic

    Currently, there is no data protection law in the Central African Republic. Article 13 of the Constitution of the Central African Republic (only available in French here) guarantees the secrecy of the correspondence, as well as postal, electronic communications, telegraph and telephone.

  • Chile
    • Discussing

    Law: Law No. 19.628 on the Protection of Private Life 1999 ('the Law') (only available in Spanish here)*.
    Data Controller: The 'person responsible for the register or database' is the natural or legal private person, or a public organisation, that is competent to adopt decisions concerning the processing of personal data. 
    Data Processor: There is no definition of data processor in the Law. 
    Personal Data: Information concerning identified or identifiable natural persons. 
    Regulator: Chilean Transparency Council ('CPLT')

    *Bill No. 11144-07 Regulating the Processing and Protection of Personal Data and Creating the Personal Data Protection Authority is currently under discussion.

  • China

    Law: There is no general data protection law in place. Regulation is adopted on a sectoral basis, with data protection provisions scattered across regulation applicable to specific sectors. 'Network operators' and 'operators of critical information infrastructure,' however, must comply with the requirements of the Cybersecurity Law 2016, which came into effect on, 1 June 2017 (only available in Chinese here) ('the Law'). An unofficial English version of the Law is available here. In addition, the Information Security Technology – Personal Information Security Specification (GB/T 35273-2017) (only available in Chinese here) ('the Specification') offers a standard for best practice in handling personal information. However, it must be noted that the Specification is non-binding.
    Data Controller | Data Processor: The Law applies to 'network operators' and 'operators of critical information infrastructure.' The precise scope of the latter term remains unclear, but network operators are owners and administrators of networks, as well as network service providers. In addition, the Specification defines a data controller as an organisation or individual that has the right to determine the purpose and manner of personal information. 
    Personal Data: The Law and the Specification define personal information as: Information recorded by electronic or other means that, alone or jointly with other information, can serve to identify a natural person, including but not limited to a natural person’s name, date of birth, identification number, personal biometrics data, address, or phone number.
    Regulator: There is no single regulator in place. Select regulators include The Ministry of Industry and Information Technology ('MIIT') and The Cyberspace Administration of China ('CAC').

  • Collectivity of Saint Martin

    Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (only available in French here) and the General Data Protection Regulation (Regulation (EU) 2016/679)*
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: French data protection authority ('CNIL')

    *CNIL released, on 13 July 2018, a statement on the applicability of French data protection law to overseas territories.

  • Colombia

    Law: Statutory Law 1581 of 2012 (October 17) Which Issues General Provisions for the Protection of Personal Data (only available in Spanish here) and Decree 1377 of 2013 (June 27) Which Partially Regulates Law 1581 of 2012 (only available in Spanish here).
    Data Controller: The 'person responsible for the processing' is a natural or legal person, public or private, that either alone or in association with others, decides on the database and/or the data processing. 
    Data Processor: The 'person in charge of the processing' is the natural or legal person, public or private, that either alone or in association with others, processes personal data on behalf of the data controller. 
    Personal Data: Any information linked to or that can be associated with one or more identified or identifable natural persons. 
    Regulator: Colombian data protection authority ('SIC').

  • Cook Islands

    No further information currently available.

  • Costa Rica

    Law: Law on the Protection of Persons Regarding the Processing of their Personal Data No. 8968 of 2011 (only available to download in Spanish here) and Executive Decree No. 37554-JP of 30 October 2012 Regulating Law No. 8968 (only available in Spanish here), as amended by Decree No. 40008-JP (only available in Spanish here).
    Data Controller: The 'person responsible for the database' is the natural or legal person who administers, manages or is in charge of the database, be it a public or private entity, competent pursuant to the law to decide on the purpose of the database, the categories of personal data that must be registered and the type of processing they can undergo. 
    Data Processor: The 'person in charge of the processing' is any natural or legal person, public or private entity, or any other body that processes the personal data on behalf of the data controller. 
    Personal Data: Any data concerning an identified or identifiable natural person. 
    Regulator: Costa Rican data protection authority ('PRODHAB').

  • Croatia

    Law: Law on the Implementation of the General Data Protection Regulation 2018 (only available in Croatian here) and General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Personal Data Protection Agency ('AZOP')

  • Cuba

    Currently, there is no general data protection law in Cuba. However, Article 97 of the Constitution of the Republic of Cuba 2019 (only available in Spanish here) ('the Constitution') recognises the right of individuals to access their personal information in public registries, archives, or other databases, as well as to request its non-disclosure or request the correction, rectification, modification, update, or deletion of personal information. In addition, Article 50 of the Constitution guarantees the right of inviolability of correspondence and communications.

  • Curaçao

    Law: Ordinance No. 84 of 4 September 2010 Laying Down Rules on the Protection of Personal Data (Data Protection Ordinance) (only available in Dutch here).
    Data Controller: The 'responsible party' is the natural or legal person or any other person or administrative body that determines alone, or jointly with others, the purposes and means of processing personal data. 
    Data Processor: The person who processes data on behalf of the data controller, without coming under their direct authority. 
    Personal Data: Any information relating to an identified or identifiable natural person. 
    Regulator: The Data Protection Board, provided for under the Ordinance, has not yet been established.

  • Cyprus

    Law: Law 125(I) of 2018 Providing for the Protection of Natural Persons with Regard to the Processing of Personal Data and for the Free Movement of Such Data and General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Office of the Commissioner for Personal Data Protection ('the Commissioner')

  • Czech Republic

    Law: Act No. 110/2019 Coll. on Personal Data Processing and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    Regulator: Office for Personal Data Protection ('UOOU')

  • Denmark

    Law: Act No. 502 of 23 May 2018 on Supplementary Provisions to the Regulation on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data (the Data Protection Act) and General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Danish Data Protection Authority ('Datatilsynet')

  • Dominican Republic

    Law: Law No. 172-13 on the Comprehensive Protection of Personal Data Contained in Archives, Public Registries, Databases or Other Technical Means of Data Processing Used for Reporting, Whether Public or Private 2013 (only available to download in Spanish here) ('the Law').
    Data Controller: The 'person responsible for the processing' of personal data is any person, public or private, that holds the personal data file and decides on the purpose, content, means of processing and use of the information obtained via the processing of personal data. 
    Data Processor: The 'person in charge of the processing' of personal data is the natural or legal person, public or private, who carries out the processing of the personal data on behalf of the controller. 
    Personal Data: Any numerical, alphabetical, graphic, photographic, acoustic or any other information concerning identified or identifiable natural persons. 
    Regulator: Though the Law does not create a general data protection authority, it does state that the Banking Authority is in charge of supervising public or private files, registers or databases that are intended to provide credit reports.

  • Ecuador
    • Drafted

    Law: The National Directorate of the Public Data Registry ('DINARDAP') published, on 20 September 2019, a Draft Law for the Protection of Personal Data ('the Draft Law') (only available in Spanish here).
    Data Controller: The Draft Law defines a data controller as the natural or legal person, public or private, that decides on the processing of personal data. 
    Data Processor: The Draft Law defines a data processor as Person who processes personal data by name and on behalf of a person in charge of personal data processing.
    Personal Data: The Draft Law defines personal data as all the information concerning a natural person who is identified or identifiable, determined or determinable, directly or indirectly, in the present or future, including fragments of data, metadata and innocuous data.
    Regulator: As the Data Protection Authority ('DPA') has not yet been established by the Draft Law, the current authority in place in Ecuador is DINARDAP.

  • Egypt
    • Draft approved

    OneTrust DataGuidance confirmed, on 4 November 2019, with Dr. Mohamed Hegazy, Head of Regulations and Laws Committee, Ministry of Communications and Information Technology, that the House of Representatives ('the House of Representatives') had approved, in principle, on 3 November 2019, Egypt's first draft law on data protection ('the Draft Law'). 

  • El Salvador
    • Drafted

    DataGuidance confirmed with Morena Zavaleta, Partner at Arias, on 20 September 2018, that, "El Salvador has a draft data protection law ('the Draft') since several years ago, that is yet to be submitted to Congress. The Draft is still under review by the commerce ministry, and it is not expected to be submitted to Congress this year and probably not the next year, which is an electoral year."

  • Equatorial Guinea

    Law: Law No. 1/2016. There is currently no available copy of the Law. 
    Data Controller: Any natural or legal person, whether public or private, which processes personal data on its own behalf. 
    Data Processor: The natural or legal person, public authority, service or any other body which processes personal data on behalf of the data controller. 
    Personal Data: Any information, testimony or summary concerning identified or identifiable natural persons ('the data subject'). 
    Regulator: Equatorial Guinea data protection authority. Please note that the regulator is not yet operational. 
    Contributor: João Luís Traça and Pedro Marques Gaspar, Partner and Associate respectively at Miranda & Associados

  • Eritrea

    Currently, there is no data protection law in Eritrea. Article 18 of the Constitution 1997 guarantees the right to privacy, in particular the non-interference of communication without reasonable cause. Furthermore, Article 298 of the Penal Code 2015 penalises the violation of privacy, in particular the unlawful interception of communication.

  • Estonia

    Law: Personal Data Protection Act 2018 and General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Data Protection Inspectorate ('DPI')

  • Eswatini
    • Drafted

    Law: DataGuidance confirmed with Alex B. Makulilo, Professor of Law and Technology at the Open University of Tanzania, that Eswatini has a draft data protection bill.

  • Ethiopia
    • Drafted

    DataGuidance confirmed with Alex B. Makulilo, Professor of Law and Technology at the Open University of Tanzania, that Ethiopia has a draft data protection bill. No further information is currently available. 

  • EU

    Law: General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Each EU Member State has its own national data protection authority. In addition to these, the European Data Protection Supervisor ('EDPS') is an independent supervisory authority which is devoted to protecting personal data and privacy and promoting good practice in EU institutions and bodies. The EDPS and the national data protection autorities form part of the European Data Protection Board ('EDPB'), an independent European body, which contributes to the consistent application of data protection rules throughout the EU, and promotes cooperation between the EU’s data protection authorities. 

  • Finland

    Law: Data Protection Act (1050/2018) and General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Office of the Data Protection Ombudsman

     

  • France

    Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (only available in French here) ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679). An unofficial English version of the Law is available here.
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: French data protection authority ('CNIL')

    *Note: Ordinance No. 2018-1125 of 12 December 2018 Amending Act No. 78-17 of 6 January 1978 on Information Technology, Data Files and Civil Liberties and Various Provisions Concerning the Protection of Personal Data (only available in French here) will enter into force no later than 1 June 2019. 

  • French Polynesia

    Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties*
    Data Controller: A person, public authority, department or any other organisation who determines the purposes and means of the data processing.
    Data Processor: A person who acts under the authority of the data controller or that of the processor, may process personal data only under the data controller’s instructions.
    Personal Data: Any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to them. In order to determine whether a person is identifiable, all the means that the data controller or any other person uses or may have access to should be taken into consideration.
    Regulator: French data protection authority ('CNIL')

    *CNIL released, on 13 July 2018, a statement on the applicability of French data protection law to overseas territories.

  • French Southern and Antarctic Lands

    Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties*
    Data Controller: A person, public authority, department or any other organisation who determines the purposes and means of the data processing.
    Data Processor: A person who acts under the authority of the data controller or that of the processor, may process personal data only under the data controller’s instructions.
    Personal Data: Any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to them. In order to determine whether a person is identifiable, all the means that the data controller or any other person uses or may have access to should be taken into consideration.
    Regulator: French data protection authority ('CNIL')

    *CNIL released, on 13 July 2018, a statement on the applicability of French data protection law to overseas territories.

  • Gabon

    Law: Law No. 001/2011 on the Protection of Personal Data (only available in French here).
    Data Controller: Any natural, legal, public or private person, any other authorised body or association which, alone or jointly with others, takes the decision to collect and process personal data and determines their purposes. 
    Data Processor: Any natural or legal person, public or private, any other organisation or association that processes data on behalf of the data controller. 
    Personal Data: Any information relating to a natural person identified or identifiable directly or indirectly by reference to an identification number or to one or more elements specific to his physical, physiological, genetic, psychological, cultural, social or economic identity. 
    Regulator: Gabon data protection authority ('CNPDCP')

  • Georgia

    Law: Law of Georgia on Personal Data Protection of 28 December 2011 No. 5669
    Data Controller: A public agency, a natural or legal person who individually or in collaboration with others determines purposes and means of personal data processing and who, directly or through a data processor, processes personal data. 
    Data Processor: Any natural or legal person who processes personal data for or on behalf of the data controller. 
    Personal Data: Any information connected to an identified or identifiable natural person. A person shall be identifiable when he/she may be identified directly or indirectly, in particular by an identification number or by any physical, physiological, psychological, economic, cultural or social features specific to this person. 
    Regulator: Office of the Personal Data Protection Inspector ('PDP')

  • Germany - Baden-Württemberg

    Law: State Data Protection Act (LDSG) 2018 (only available in German here)
    Regulator: Baden-Württemberg data protection authority ('LfDI Baden-Württemberg')

  • Germany - Bavaria

    Law: Bavarian Data Protection Act (BayDSG) of 15 May 2018 (only available in German here)
    Regulators: Data Protection Authority of Bavaria for the Private Sector ('BayLDA'); Bavarian data protection authority ('BayLfD')

  • Germany - Berlin

    Law: Berlin Data Protection Act ('BlnDSG') of 13 June 2018 (only available in German here)
    Regulator: Berlin data protection authority ('Berlin Commissioner')

  • Germany - Brandenburg

    Law: Brandenburg Data Protection Act ('BbgDSG') of 8 May 2018 (only available in German here)
    Regulator: State Commissioner for Data Protection and Access to Information Brandenburg ('Brandenburg LDA')

  • Germany - Bremen

    Law: Bremen Implementation Act to the EU General Data Protection Regulation (BremDSGVOAG) of 8 May 2018 (only available in German here)
    Regulator: Bremen data protection authority ('the Bremen Commissioner')

  • Germany - Federal

    Law: Federal Data Protection Act of 30 June 2017 (implementing the GDPR) and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    Regulator: Federal Commissioner for Data Protection and Freedom of Information ('BfDI') 

  • Germany - Hamburg

    Law: Hamburg Data Protection Act (HmbDSG) of 18 May 2018 (only available in German here)
    Regulator: The Hamburg Commissioner for Data Protection and Freedom of Information ('HmbBfDI')

  • Germany - Hesse

    Law: Hessian Data Protection and Freedom of Information Act (HDSIG) of 3 May 2018 (only available in German here)
    Regulator: Hessen data protection authority ('HBDI')

  • Germany - Lower Saxony

    Law: Lower Saxony Data Protection Act (NDSG) of 16 May 2018 (only available in German here)
    Regulator: Lower Saxony data protection authority ('LfD Niedersachsen')

  • Germany - Mecklenburg-Vorpommern

    Law: State Data Protection Act  (DSG M-V) of 22 May 2018 (only available in German here)
    Regulator: Mecklenburg-Vorpommern data protection authority

  • Germany - North Rhine-Westphalia

    Law: Data Protection Law North Rhine-Westphalia (DSG NRW) 2018 (only available in German here)
    Regulator: North Rhine-Westphalia State Commissioner for Data Protection and Freedom of Information ('LDI NRW')

  • Germany - Rhineland-Palatinate

    Law: State Data Protection Act (LDSG) of 8 May 2018 (only available in German here)
    Regulator: Rhineland-Palatinate data protection authority ('LfDI Rhineland-Pfalz')

  • Germany - Saarland

    Law: Saarland Data Protection Act ('SDSG') of 16 May 2018 (only available in German here)
    Regulator: Saarland data protection authority

  • Germany - Saxony

    Law: Saxon Data Protection Act (SächsDSG) of 25 August 2003, as amended to implement the GDPR (only available in German here)
    Regulator:  Saxon data protection authority ('SächsDSB') ​​​​​​​

  • Germany - Saxony-Anhalt

    Law: Data Protection Act Saxony-Anhalt ('DSG LSA') of 12 March 1992, as amended (only available in German here)
    Regulator:  Sachsen-Anhalt data protection authority ('LfD Sachsen-Anhalt')

  • Germany - Schleswig-Holstein

    Law: Schleswig-Holstein Law for the Protection of Personal Data (LDSG) of 2 May 2018 (only available in German here)
    Regulator: Schleswig-Holstein data protection authority ('ULD')

  • Germany - Thuringia

    Law: Thuringian Data Protection and Implementation Act ('ThürDSAnpUG-EU')  of 6 June 2018 (only available in German here)
    Regulator: Thuringian data protection authority ('TLfDI')

  • Ghana

    Law: Data Protection Act, 2012
    Data Controller: A person who either alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed. 
    Data Processor: Any person other than an employee of the data controller who processes the data on behalf of the data controller. 
    Personal Data: Data about an individual who can be identifed, (a) from the data, or (b) from the data or other information in the possession of, or likely to come into the posesion of the data controller. 
    Regulator: The Data Protection Commission

  • Gibraltar

    Law: Data Protection Act 2004 (as amended in 2018) and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Gibraltar Regulatory Authority ('GRA')

  • Greece

    Law: Law No. 4624/2019 on the Personal Data Protection Authority, Implementing the General Data Protection Regulation (Regulation (EU) 2016/679) and Transposing into National Law Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) and Other Provisions (only available to download in Greek here) and General Data Protection Regulation (Regulation (EU) 2016/679).
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: The Hellenic data protection authority ('HDPA')

  • Greenland

    Law: Personal Data Protection Act 2016 (available only in Greenlandic here and in Danish here).
    Data Controller: A natural or legal person, public authority, institution or any other who alone or together with others decides on the purpose and means of processing.
    Data Processor: A natural or legal person, public authority, institution or any other who processes information on behalf of the the data controller.
    Personal Data: Any type of information about one identified or identifiable natural person.
    Regulator: Danish data protection authority ('Datatilsynet')

  • Guadeloupe

    Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (only available in French here) and the General Data Protection Regulation (Regulation (EU) 2016/679)*
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: French data protection authority ('CNIL')

    *CNIL released, on 13 July 2018, a statement on the applicability of French data protection law to overseas territories.

  • Guatemala

    Currently there is no data protection law in Guatemala. However, Article 31 of the Political Constitution of the Republic of Guatemala 1985 ('the Constitution') (only available in Spanish here) provides each person the right to access, know the purpose of, and correct personal data held within public files, records, or government registries. Article 24 of the Constitution guarantees the protection of correspondence, documents, and books.

    Decree No. 57-2008 on the Law of Access to Public Information (only available in Spanish here and a commentary to it here) provides for the regulation of access to information by public institutions.

    Guatemala does not have a data protection authority.

  • Guernsey

    Law: The Data Protection (Bailiwick of Guernsey) Law, 2017The Data Protection (Commencement, Amendment and Transitional) (Bailiwick of Guernsey) Ordinance, 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A person that, alone or jointly with others, determines the purposes and means of the processing of any personal data, and (b) for the avoidance of doubt, includes a processor or any other person, where the processor or other person determines the purposes and means of processing personal data.
    Data Processor: An individual or other person that processes personal data on behalf of a controller, and (b) includes a secondary processor within the meaning of section 36(1).
    Personal Data: Any information relating to an identified or identifiable individual.
    Regulator: The Office of the Data Protection Authority ('ODPA')

  • Guinea

    Currently, there is no data protection law in Guinea. Article 12 of the Guinea's Constitution of 2010 guarantees the right to privacy in relation to communications.

  • Guinea-Bissau

    Currently, there is no data protection law in Guinea Bissau. However, the Constitution 1984 protects citizens’ right to private communication except in cases provided by the law under Article 48.

  • Guyana

    No further information currently available.

  • Haiti

    No further information currently available.

  • Honduras
    • Discussing

    Law: DataGuidance confirmed with The Honduran Institute for Access to Public Information ('IAIP'), on 14 November 2018, that the National Congress had resumed discussion of the personal data protection bill ('the Bill') on 25 April 2018, and that to date, 36 out of 97 Articles of the Bill had been approved.

    Data Controller: There is currently no definition of data controller.
    Data Processor: There is currently no definition of data processor. 
    Personal Data: There is currently no definition of personal data. 
    
Regulator: A Honduran data protection authority has not yet been established. However, Jessy Aguilar, Associate at NASSAR ABOGADOS, noted, "The Bill seeks to expand the jurisdiction, faculties and attributions of the IAIP, modifying both its denomination and its scope."

  • Hong Kong

    Law: Personal Data (Privacy) Ordinance 1997 as amended in 2013 ('the Ordinance')
    Data Controller: A 'data user,' in relation to personal data, means a person who, either alone, jointly or in common with other persons, controls the collection, holding, processing or use of the data. 
    Data Processor: A person who (a) processes personal data on behalf of another person; and (b) does not process the data for any of the person’s own purposes. 
    Personal Data: Any data (a) relating directly or indirectly to a living individual; (b) from which it is practicable for the identity of the individual to be directly or indirectly ascertained; and (c) in a form in which access to or processing of the data is practicable. 
    Regulator: Office of the Privacy Commissioner for Personal Data ('PCPD')

  • Hungary

    Law: Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information as amended by Act XXXVIII of 2018 (a consolidated version is only available in Hungarian here) and General Data Protection Regulation (Regulation (EU) 2016/679).
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: National Authority for Data Protection and Freedom of Information ('NAIH')

  • Iceland

    Law: Act 90/2018 on Privacy and Processing of Personal Data (only available in Icelandic here) and General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: An individual, legal entity, governmental authority or other person who decides solely or in collaboration with others the purposes and methods of processing personal data.
    Data Processor: An individual, legal entity, government authority or other person processing personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Icelandic data protection authority ('Persónuvernd')

  • India
    • Drafted

    Law: The Personal Data Protection Bill, 2018 ('the Bill'). In addition, the Information Technology Act 2000 has been amended to address specific data protection concerns that have arisen.
    Data Controller: There is no definition of data controller. However, the Bill outlines that a data fiduciary means any person, including the state, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.
    Data Processor: The Bill defines it as any person, including the state, a company, any juristic entity or any individual who process personal data on behalf of the data fiduciary, but does not include an employee of the data fiduciary.
    Personal Data: The Bill defines it as data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information.
    Regulator: The Bill states, the Central Government shall, by notification, establish for the purposes of this Bill, an authority to be called the Data Protection Authority of India.

  • Indonesia
    • Drafted

    The Ministry of Communication and Information Technology ('Kominfo') announced, on 4 November 2019, that it will submit a draft of the Personal Data Protection Act ('the PDP Bill') by the end of this year. In particular, Kominfo highlighted that it will seek to accelerate discussions of regulations related to personal data and that it intends for the PDP Bill to be passed in 2020. Moreover, Kominfo outlined that a Ministerial Regulation (Permen) on Personal Data Protection has been prepared, which is not in conflict with the PDP Bill and may be issued depending on the progress of the PDP Bill discussions.

  • Iran
    • Drafted

    Law: Draft Protection and Protection of Personal Data Law ('the Draft Law') (only available in Persian here)
    Data Controller: The Draft Law states that a controller defines all or part of the purpose, mechanism, conditions, characteristics, and tools of one or more personal data processing operations for the processor.
    Data Processor: The Draft Law states that a processor is a remote controller for processing. If there is no control over the processor and the processor can not be connected to it, the processor is also known as the controller.
    Personal Data: The Draft Law defines it as data that alone or with other data, directly or indirectly, identifies the data subject
    Regulator: The Ministry of Communications and Information Technology (‘MICEX’)

  • Iraq

    Currently, there is no data protection law in Iraq. Article 17 of the Constitution 2005 provides for the right to privacy so long as it does not contradict the rights of others and public morals. 

     

  • Ireland

    Law: Data Protection Act 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    Regulator: Data Protection Commission ('DPC')

  • Isle of Man

    Law: Data Protection Act 2018Data Protection (Application of the GDPR) Order 2018Data Protection (Application of the LED) Order 2018The GDPR and LED Implementing Regulations 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Information Commissioner

  • Israel

    Law: Protection of Privacy Law, 5741 - 1981 (unofficial translation) and Protection of Privacy Regulations (Data Security) 5777-2017 (unofficial translation).
    Data Controller | Data Processor: There is no definition of either data controller or data processor in the Law. A 'manager 'is an active manager of a body that owns or possesses a database or a person whom the aforesaid manager authorised for this purpose. A 'possessor' is defined as a person who has a database in his possession permanently and is permitted to use it. 
    Personal Data: Data on the personality, personal status, intimate affairs, state of health, economic position, vocational qualifications, opinions and beliefs of a person. 
    Regulator: Privacy Protection Authority ('PPA')

  • Italy

    Law: Personal Data Protection Code, Legislative Decree No. 196/2003 (a consolidated version with the amendments made by Legislative Decree 10 August 2018, no. 101, Provisions for the Adaptation of the National Legislation to the Provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) is only available in Italian here) and General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Italian data protection authority ('Garante')

  • Ivory Coast

    Law: Law 2013-450 on the Protection of Personal Data
    Data Controller: A 'person responsible for processing' is a natural or legal person, public or private, any other organisation or association which alone or jointly with others decides to collect and process personal data and determines the purposes. 
    Data Processor: A 'subcontractor' is any natural or legal person or entity, public or private, any other organisation or association that processes data on behalf of the data controller. 
    Personal Data: Any information of any kind and regardless of media, including sound and image related to an identified or identifiable directly or indirectly, by reference to an identification number or to one or more specific cultural, social and economic factors specific to his physical, physiological, genetic, psychological identity. 
    Regulator: The Telecommunications/ICT Regulatory Authority of Côte d'Ivoire ('ARTCI')

  • Jamaica
    • Drafted

    Law: A Bill Entitled an Act to Protect the Privacy of Certain Data and for Connected Matters 2017

    Data Controller: The Bill defines it as any person or public authority, who, either alone or jointly or in common with other persons determines the purposes for which and the manner in which any personal data are, or are to be, processed, and where personal data are processed only for purposes which they are required under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of the Bill a data controller. 

    Data Processor: The Bill defines it as any person other than an employee of the data controller who processes the data on behalf of the data controller.

    Personal Data: The Bill defines it as data relating to a living individual who can be identified from the data or from the data and other information in the possession of, or likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

    Regulator: The Bill requires the appointment of The Information Commissioner.

  • Japan

    Law: The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2016) ('APPI').

    Data Controller: Data Controller is not defined by the APPI. However, a Personal Information Controller ('PIC') is a business operator using a personal information database for its business and is a similar concept to a data controller (Article 2(5) of the APPI).

    Data Processor: Data Processor is not defined by the APPI.
    Personal Data: Personal information contained in a database (whether electronic or not) that enables easy retrieval of the personal information contained in it (personal information database). Personal Information is any information about a living individual which can identify the specific individual by name, date of birth or other description contained in such information (including such information as will allow easy reference to other information and will thereby enable the identification of the specific individual). 
    Regulator: Personal Information Protection Commission ('PPC')

  • Jersey

    Law: Data Protection (Jersey) Law 2018, Data Protection Authority (Jersey) Law 2018, and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body that, whether alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller, but does not include an employee of the controller.
    Personal Data: Any data relating to a data subject. A data subject is an identified or identifiable, natural, living person who can be identified, directly or indirectly, by reference to (but not limited to) an identifier such as: a name, an identification number or location data; an online identifier; or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the person.
    Regulator: Jersey Office of the Information Commissioner ('JOIC')

  • Jordan
    • Drafted

    The Ministry of Digital Economy and Entrepreneurship ('MoDEE') have drafted a Personal Data Protection Bill ('the Bill'). You can read the Bill, in Arabic only, here.

  • Kazakhstan

    Law: Law of 21 May 2013 No. 94-V on Personal Data and its Protection ('the Personal Data Law')
    Data Controller | Data Processor: There is no definition of either data controller or data processor within the Law. The Law refers to 'owners' and 'operators' of personal data. An 'operator of the database containing personal data' is a government body, a physical and/or a legal person carrying out the collection, processing and protection of personal data. An 'owner of the database containing personal data' is a government body, a physical and/or a legal person that possesses, uses and manages the database containing personal data in accordance with the laws of the Republic of Kazakhstan, which cover any entities involved in the collection, processing and protection of personal data. 
    Personal Data: Information relating to an individual, identified or identifiable on the basis of such personal data recorded on electronic, paper, and/or any other physical medium.  Personal data are divided into those which are publicly accessible and those with restricted access. 
    Regulator: There is no established data protection authority in Kazakhstan. However, various state authorities are responsible for personal data protection, including the Government of the Republic of Kazakhstan, the General Prosecutor's Office of the Republic of Kazakhstan, the National Security Committee of the Republic of Kazakhstan and the Ministry of Information and Social Development of the Republic of Kazakhstan

  • Kenya
    • Draft approved

    Law: The Data Protection Act, 2019
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.
    Personal Data: Any information relating to an identified or identifiable natural person.
    Regulator: Data Protection Commissioner

  • Kosovo
    • Drafted

    Law: Law No.03/L - 172 on the Protection of Personal Data*
    Data Controller: Any natural or legal person from the public or private sector who individually or jointly with others determines the purposes and means of the processing of personal data, or a person designated by law that also determines the purposes and means of processing. 
    Data Processor: Any natural or legal person or another person from the public or private sector that processes personal data on behalf and for the account of the data controller. 
    Personal Data: Any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity. 
    Regulator: National Agency for the Protection of Personal Data ('AMDP')

    *Note: The Government submitted, on 11 June 2018, Draft Law no. 06/L-082 on Personal Data Protection to the Assembly of the Republic of Kosovo for its consideration.

  • Kuwait

    Currently, there is no data protection law in Kuwait.

     

  • Kyrgyzstan

    Law: Law of the Kyrgyz Republic of 14 April 2008 No. 58 on Personal Information as amended by the Law of the Kyrgyz Republic of 20 July 2017 No. 129 (only available in Russian here) ('the Law on Personal Data')
    Data Controller: A 'personal data holder' is a state authority, local government body, or legal entity entrusted with determining the purposes and categories of personal data and controlling collection, processing and use of personal data in compliance with the Law.
    Data Processor: A 'personal data handler' is an individual or a legal entity determined by the personal data holder that processes personal data on the basis of a contract signed with the holder.
    Personal Data: Information recorded on a material information carrier about a specific person, identified with a specific person or which may be identified with a specific person, allowing identification of this person, directly or indirectly by reference to one or more factors relating to biological, economic, cultural, civil or social identity.
    Regulator: There is no data protection regulator in place. The State Registration Service under the Government of the Kyrgyz Republic maintains the registration of data holders, although it is not considered as a data protection regulator. DataGuidance confirmed with Chynara Esengeldieva and Kymbat Ibakova, Managing Director and Senior Associate at Lorenz Law Firm, that although the Law establishes a supervisory authority with the power to ensure compliance with the Law and protect the rights of data subjects, the Government has not yet appointed or identified such an authority.

  • Lao PDR

    No further information currently available.

  • Latvia

    Law: Personal Data Processing Law of 21 June 2018 and General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
    Regulator: Data State Inspectorate ('DVI')

  • Lebanon

    Law: Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data (only available in Arabic here) ('the Law').
    Data Controller: A 'personal data processor' is defined as the natural or legal person responsible for establishing the processing objectives and methods.
    Data Processor: A 'personal data recipient' is defined as the person authorised to receive the personal data. The personal data recipient shall be different from the personal data processor.
    Personal Data: Any information that helps to directly or indirectly identify a natural person, by comparing the data or overlapping collected data from multiple sources.
    Regulator: Not applicable.

  • Lesotho

    Law: Data Protection Act, 2013 ('the Act').
    Data Controller: A public or private body or any other person which or who, alone or together with others, determines the purpose of and means for processing personal information, regardless of whether or not such data is processed by that party or by an data processor on its behalf, where the purpose and means of processing are determined by or by virtue of an act, decree or ordinance, the controller is the natural person, legal person or public body has been designated as such by or by virtue of that act, decree or ordinance. 
    Data Processor: A natural person, legal person, or public body which processes personal information for and on behalf of the controller and under the data controller's instruction, except for the persons who, under the direct authority of the controller, is authorised to process the data. 
    Personal Data: Information about an identifiable individual that is recorded in any form, including, without restricting the generality of the foregoing (a) information relating to the race, national or ethnic origin, religion, age or marital status of the individual; (b) information relating to the education or the medical, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved; (c) any identifying number, symbol or other particular assigned to the individual; (d) the address, fingerprints or blood type of the individual; (e) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual; (f) correspondence sent to a data controller by the individual that is explicitly or implicitly of a private or confidential nature, and replies to such correspondence that would reveal the contents of the original correspondence; and (g) the views or opinions of any other person about the individual. 
    Regulator: The Data Protection Commission. Please note that the regulator has not yet been established.

  • Liberia

    Currently there is no data protection law in Liberia. Article 16 of the 1986 Constitution of the Republic of Liberia guarantees the right to privacy.

  • Libya

    Currently, there is no data protection law in Libya. However, Articles 12 and 13 of the Constitution 2011 guarantee the right to a private life for citizens and  the confidentiality of correspondence, telephonic conversations and other forms of communications except where required by a judicial warrant resectively.

  • Liechtenstein

    Law: Data Protection Act (DSG) of 4 October 2018 (only available in German here), Data Protection Ordinance (DSV) of 11 December 2018 (only available in German here) and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    Regulator: Liechtensteiner data protection authority ('DSS')

    *Note: In addition, the EEA Joint Committee adopted, on 6 July 2018, decision No 154/2018, incorporating the GDPR into the EEA Agreement. 

  • Lithuania

    Law: Law No XIII-1426 of 30 June 2018 amending Law No I-1374 (only available in Lithuanian here) and General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
    Regulator: State Data Protection Inspectorate ('VDAI')

  • Luxembourg

    Law: Act of 1 August 2018 on the Organisation of the National Commission for Data Protection and Implementing the GDPR and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: National Commission for Data Protection ('CNPD')

  • Macau

    Law: Personal Data Protection Act (Act 8/2005) ('the Act')
    Data Controller: A natural or legal person, public entity, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. 
    Data Processor: A natural or legal person, public entity, agency or any other body which processes personal data on behalf of a controller. 
    Personal Data: Any information of any type, irrespective of the type of medium involved, including sound and image, relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an indication number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. 
    Regulator: Office for Personal Data Protection ('GPDP')

  • Madagascar

    Law: Law No. 2014 - 038 on the Protection of Personal Data (only available in French here). Please note that not all sections of the Law are in force yet. 
    Data Controller: The natural or legal person, whether public or private, who has the power to decide on the creation of the treatment alone or in conjunction with others, and which determines the purposes and means to be implemented. 
    Data Processor: The 'subcontractor' is defined as any person different from the person in charge defined as a 'controller' and dealing with personal data on behalf of the controller and according to his instructions. 
    Personal Data: Any information relating to an identified individual or that can be identified, directly or indirectly, by reference to a name, an identification number or one or more elements specific to it. These elements are physical, physiological, psychological, economic, cultural or social. In order to determine whether a person is identifiable, all means available to the data controller or any other person must be considered for identification. 
    Regulator: The Madagascan information commission ('CMIL'). Please note that the regulator has not been established yet.

  • Malawi

    Law: Data protection provisions are included in Part VII of the Electronic Transactions and Cyber Security Act, 2016 ('the Act').
    Data Controller: A person who, acting alone or in common with other persons, determines the purpose for which, and the manner in which, any personal data is processed, or is to be processed and thus, controls and is responsible for the keeping and using of personal data, and the term includes a person who collects, processes or stores personal data.
    Data Processor: There is no definition of data processor in the Act.
    Personal Data: Any information relating to an individual who (a) may be directly identified; or (b) if not directly identified, may be identifiable by reference to an identification number or one or several elements related to his physical, physiological, genetic, psychological, cultural, social, or economic identity.
    Supervisory Authority: Malawi Communications Regulatory Authority ('MACRA')

  • Malaysia

    Law: Personal Data Protection Act 2010
    Data Controller: A 'data user' is a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorises the processing of any personal data, but does not include a data processor. 
    Data Processor: In relation to personal data, means any person, other than an employee of the data user, who processes the personal data solely on behalf of the data user, and does not process the personal data for any of his own purposes. 
    Personal Data: Any information in respect of commercial transactions, which (a) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should wholly or partly be processed by means of such equipment; or, (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system - that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data user, including any sensitive personal data and expression of opinion about the data subject, but not including any information that is processed for the purpose of a credit reporting business carried on by a credit reporting agency under the Credit Reporting Agencies Act 2010. 
    Regulator: Department of Personal Data Protection ('PDP')

  • Maldives

    No further information currently available.

  • Mali

    Law: Law No. 2013/015 of 23 May 2013 on the Protection of Personal Data in the Republic of Mali (only available in French here).
    Data Controller: The 'person responsible for the processing' is defined as any person who, alone or in connection with others, makes decisions regarding the collection and processing of the data and determine the purposes. 
    Data Processor: The 'subcontractor' is any natural or legal person, public or private, or other organisation or association, which processes data on behalf of the controller. The subcontractor may be considered as a delegate of the controller or controllers, regardless of whether or not they are part of a network. 
    Personal Data: Information that exists in various forms and allows for the identification either directly or indirectly of an individual by reference to an identification number or other elements related to their physical, physiological, biometric, genetric, psychic, cultural, social or economic identity. They may be universal identifiers which can be interconnected or files in databases. 
    Regulator: Malian data protection authority ('APDP')

  • Malta

    Law: Data Protection Act (Act XX 2018) and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Office of the Information and Data Protection Commissioner ('IDPC')

  • Manitoba

    Law: The Personal Information Protection and Identity Theft Prevention Act, CCSM c P33.7 ('the Act'). Please note that the Act is not yet in force.
    Data Controller | Data Processor: There is no definition of data controller or data processor in the Act. The Act is applicable to every organisation and in respect of all personal information. 
    Personal Data: Information about an identifiable individual. 
    Regulator: Manitoba Ombudsman

  • Matinique

    Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (only available in French here) and the General Data Protection Regulation (Regulation (EU) 2016/679)*
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: French data protection authority ('CNIL')

    *CNIL released, on 13 July 2018, a statement on the applicability of French data protection law to overseas territories.

  • Mauritania
    • Drafted

    Law: Law n° 2017 - 020 on the protection of the personal data (only available in French here)
    Data Controller: Refers to a natural or legal person, public, private or any other structure or association which alone or together with others, makes the decision to collect and process personal data.
    Data Processor: A subcontractor refers to any natural or legal person, public or any other organisation or association that processes data on behalf of the controller.
    Personal Data: refers to any information, irrespective of the nature, including sound and image, relating to an identified or identifiable natural person directly or indirectly, by reference to a number identification mark or one or more elements, suitable for physical, physiological, genetic, psychic, cultural identity, social or economic and those qualified as sensitive.
    Regulator: Personal Data Protection Authority*

    *The Regulator is not operative yet.

  • Mauritius

    Law: Data Protection Act 2017
    Data Controller: A person who, or public body which, alone or jointly with others, determines the purposes and means of the processing of personal data and has decision making power with respect to the processing.  
    Data Processor: A person who, or public body which, processes personal data on behalf of a controller. 
    Personal Data: Any information relating to a data subject. 
    Regulator: Data Protection Office ('The Office')

  • Mexico

    Law: Federal Law on the Protection of Personal Data Held by Private Parties 2010 and the Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties 2011.
    Data Controller: The individual or private legal entity that decides on the processing of personal data. 
    Data Processor: The individual or legal entity that, alone or jointly with others, processes personal data on behalf of the data controller. 
    Personal Data: Any information concerning an identified or identifiable individual. 
    Regulator: National Institute for Transparency, Access to Information and Personal Data Protection ('INAI').

  • Moldova

    Law: Law of 8 July 2011 No. 133 on Personal Data Protection ('the Law')
    Data Controller: A natural or legal person governed by public law, or by private law, including a public authority, agency or any other body, which alone or jointly with others determines the purposes and means of the processing of personal data expressly provided by applicable law. 
    Data Processor: A natural or legal person governed by public law, or by private law, including a public authority and its territorial subdivisions, which processes personal data on behalf of the controller, on instructions from the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity. 
    Regulator: National Center for Personal Data Protection ('NCPDP') 

  • Monaco

    Law: Act No. 1.165 on the Protection of Personal Data (23 December 1993)
    Data Controller: The natural or legal person, governed by private law or public law, public authority, agency or any other body which alone or jointly with others determines the purposes of the data processing and means used and decides that it is to be carried out. 
    Data Processor: There is no definition of data processor within the Act. The 'recipient' of the processed data shall be considered as the natural or legal person, governed by private law or public law, public authority, agency or other body that receives disclosed data, other than the data subject, data controller, subcontractor and persons who, under the direct authority of the controller or subcontractor, are authorised to process the data. 
    Personal Data: Personal data is any information that can be used to determine a natural person’s identity (specific or identifiable). Is recognised as identifiable, a person who can be identified, directly or indirectly, in particular with reference to an identification number or one or more specific marks that form the person’s own physical, physiological, psychic, economic, cultural, or social identity. 
    Regulator: Monegasque data protection authority ('CCIN')

  • Mongolia

    Currently, there is no comprehensive data protection law in Mongolia, however, the Law of Mongolia on Personal Secrets 1995 (only available in Mongolian here) ('the Personal Secrets Law') is the key legislation that provides detailed regulation in respect of establishing and protecting personal information.

  • Montenegro

    Law: Personal Data Protection Law 79/08 and 70/09 (an updated 2012 version is available in Montenegrin here) ('the Law')*
    Data Controller: A 'personal data filing system controller' is the state authority, public administration body, local self-government and local administration authority, commercial enterprise and other legal person, entrepreneur and natural person, with the seat or domicile in Montenegro, which carries out processing of personal data or establishes personal data filing systems in the way and for the purpose established by law or its legal act. 
    Data Processor: A public authority, public administration body, self-government or local administration authority, commercial enterprise or other legal person, entrepreneur of a natural person, who performs tasks concerning the processing of personal data on behalf of the controller, in accordance with this law. 
    Personal Data: Any information relating to an identified or identifiable natural person. 
    Regulator: Agency for Personal Data Protection and Free Access to Information ('AZLP')


    * The AZLP announced that Montenegro will harmonise the Law with the provisions of the General Data Protection Regulation (Regulation (EU) 2016/679), in view of seeking accession to the EU.

  • Morocco

    Law: Law No. 09-08 on the Protection of Individuals with Regard to Processing of Personal Data (only available in French here).
    Data Controller: A natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes of personal data processing. 
    Data Processor: A 'subcontractor' is a natural or legal person, public authority, agency or any other body, which processes personal data on behalf of the controller. 
    Personal Data: Any information, of any nature and collected on any support (including sound and image), relating to a natural personal that is identified or that can be identifiable. 
    Regulator: Moroccan data protection authority ('CNDP')

  • Mozambique

    Law: Electronic Transactions Law 2017.
    Data Controller: n/a
    Data Processor: n/a
    Personal Data: Personal data refers to any information relating to a natural person that can be identified directly or indirectly by reference to an identification number or to one or more specific factors.
    Regulator: n/a

  • Myanmar

    No further information currently available.

  • Namibia
    • Drafted

    DataGuidance confirmed with Alex B. Makulilo, Professor of Law and Technology at the Open University of Tanzania, that Namibia has a draft data protection bill. No further information is currently available. 

  • Nepal

    Law: Individual Privacy Act 2075 (2018) ('the Act') (only available to download in Nepali here)
    Data Controller: The Act does not define the term data controller.
    Data Processor: The Act does not define the term data processor.
    Personal Data: The Act defines the term 'personal information' as any information outlined under Section 2(c) of the Act.
    Regulator: The Act does not provide for a data protection authority or regulatory authority. 

  • Netherlands

    Law:  Act Implementing the GDPR (in Dutch here) and the General Data Protection Regulation (Regulation (EU) 2016/679). An unofficial English version of the Act is available here.
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Dutch data protection authority ('AP')

  • New Brunswick

    Law: Right to Information and Protection of Privacy Act, SNB 2009 c R-10.6 ('the Act'). Please note that the Act applies to public bodies only. Private organisations are regulated at the federal level by the Personal Information Protection and Electronic Documents Act 2000.

  • New Caledonia

    Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties*
    Data Controller: A person, public authority, department or any other organisation who determines the purposes and means of the data processing.
    Data Processor: A person who acts under the authority of the data controller or that of the processor, may process personal data only under the data controller’s instructions.
    Personal Data: Any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to them. In order to determine whether a person is identifiable, all the means that the data controller or any other person uses or may have access to should be taken into consideration.
    Regulator: French data protection authority ('CNIL')

    *CNIL released, on 13 July 2018, a statement on the applicability of French data protection law to overseas territories.

  • Newfoundland and Labrador

    Law: Access to Information and Protection of Privacy Act, SNL 2015 c A-1.2 ('the Act'). Please note that the Act applies to public bodies only. Private organisations are regulated at the federal level by the Personal Information Protection and Electronic Documents Act 2000.

  • New Zealand
    • Drafted

    Law: Privacy Act 1993 ('the Act')*
    Data Controller | Data Processor: There is no distinction between a data controller and data processor. The Act applies to an 'agency' that collects, holds, uses or discloses personal information. 
    Personal Data: Any information about an identifiable individual including information relating to a death that is maintained by the Registrar-General pursuant to the Births, Deaths, Marriages, and Relationships Registration Act 1995, or any former Act (as defined by the Births, Deaths, Marriages, and Relationships Registration Act 1995) 
    Regulator: Office of the Privacy Commissioner of New Zealand ('OPCNZ')

    * Note: The OPCNZ announced, on 20 March 2018, that a draft Privacy Bill to update the Privacy Act 1993 had been introduced to Parliament.

  • Nicaragua

    Law: Law on Personal Data Protection No. 787 of 21 March 2012 (only available in Spanish here) ('the Law') and the Regulation of Law No. 787, Decree No. 36-2012 of 17 October 2012 (only available in Spanish here) ('the Regulation').
    Data Controller: The 'person responsible for the data files' is any natural or legal person, whether public or private, that in accordance with the Law decides on the purpose and content of the data processing. 
    Data Processor: There is no definition of data processor within the Law. 
    Personal Data: All the information related to an individual or an entity which identifies them or makes them identifiable. 
    Regulator: The Nicaraguan data protection authority ('DIPRODAP'), provided for under the Law and Regulation, has not yet been established.

  • Niger
    • Drafted

    Law: Law N° 2017-28 of 3 May 2017 (only available in French here)
    Data Controller: the natural or legal person, public or private, any other body or association which, alone or in conjunction with others, makes the decision to collect and process personal data and determines the finalities.
    Data Processor: any person entitled to receive data, other than the data subject or controller, who by reason of their of their duties is responsible for processing such data.
    Personal Data: Personal Data: any information of any nature whatsoever and independently of its medium, including sound and image, relating to a natural person identified or identifiable directly or indirectly, by reference to an identification number or has several specific elements, specific to its physical, physiological, genetic, psychic, cultural, social or economic identity.
    Regulator: The Data Protection Authority*

    *The Regulator is not fully operative yet.

  • Nigeria

    Law: Nigeria Data Protection Regulation 2019.
    Data Controller: A person who either alone, jointly with other persons or in common with other persons or a statutory body determines the purposes for and the manner in which personal data is processed or is to be processed.
    Data Processor: Data Administrator means a person or an organisation that processes data.
    Personal Data: Any information relating to an identified or identifiable natural person ('Data Subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: National Information Technology Development Agency ('NITDA').

  • Northwest Territories

    Law: Access to Information and Protection of Privacy Act, SNWT 1994 c 20 ('the Act'). Please note that the Act applies to public bodies only. Private organisations are regulated at federal level by the Personal Information Protection and Electronic Documents Act 2000.

  • Norway

    Law: Law on the Processing of Personal Data (Personal Data Act) of 15 June 2018 (only available in Norwegian here) and General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Norwegian data protection authority ('Datatilsynet')

  • Nova Scotia

    Law: Freedom of Information and Protection of Privacy Act, SNS 1993 c 5 ('the Act'). Please note that the Act applies to public bodies only. Private organisations are regulated at federal level by the Personal Information Protection and Electronic Documents Act 2000.

  • Nunavut

    Law: Access to Information and Protection of Privacy Act, SNWT (Nu) 1994 c 20 ('the Act'). Please note that the Act applies to public bodies only. Private organisations are regulated at federal level by the Personal Information Protection and Electronic Documents Act 2000.

  • Oman
    • Draft approved

    DataGuidance confirmed with the Information Technology Authority ('ITA') that it drafted a data protection law and passed it to the Ministry of Legal Affairs for approval. No further information is currently available. 
     

  • Ontario

    Law: Freedom of Information and Protection of Privacy Act, RSO 1990 c F.31 ('the Act'). Please note that the Act applies to public bodies only. Private organisations are regulated at federal level by the Personal Information Protection and Electronic Documents Act 2000.

  • Pakistan
    • Drafted

    Law: The Ministry of Information Technology and Telecommunications introduced the draft Personal Data Protection Bill 2018 ('the Bill'). The Bill is currently open for public consultation.
    Data Controller: The Bill defines a 'data controller' as a person who either alone or jointly or in common with other persons processes any personal data or has control over or authorises the processing of any personal data, but does not include a data processor.
    Data Processor: The Bill defines a 'data processor' as any person, other than an employee of the data user, who processes the personal data solely on behalf of the data controller, and does not process the personal data for any of his own purposes.
    Personal Data: The Bill defines it as any information in respect of commercial transactions which (i) is being processed wholly or partly by means of equipment operating automatically in response to instructions given for that purpose, (ii) is recorded with the intention that it should wholly or partly be processed by means of such equipment, or (iii) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, that relates directly or indirectly to a data subject, who is identified or identifiable from that information or from that and other information in the possession of a data controller, including any sensitive personal data and expression of opinion about the data subject.
    Regulator: Under the Bill, the Federal Government of Pakistan is required to establish a Commission for Personal Data Protection.

  • Panama

    Law: Law No. 81 on Personal Data Protection 2019 (only available in Spanish here) ('the Law') 
    Data Controller: The Law defines the data controller as a natural or legal person or public or private body, that decides on the purpose and means of processing of data and any other matters in relation to the data.
    Data Processor: The Law defines data processor as a natural or legal person or public or private body that acts on behalf of the data controller and is responsible for the custody and safekeeping of the database. 
    Personal Data: The Law defines personal data as any information relating to natural persons which identifies them or makes them identifiable. 
    Regulator: The Law establishes the National Authority of Transparency and Access to Information ('ANTAI') as the competent body to oversee compliance with the obligations contained therein.

  • Papua New Guinea

    No further information currently available.

  • Paraguay

    Law: Law No. 1682 Which Regulates Private Information 2001 (only available in Spanish here) as amended by Law No. 1969 of 2002 (only available in Spanish here) ('the Law').
    Data Controller: There is no definition of data controller in the Law. 
    Data Processor: There is no definition of data processor in the Law. 
    Personal Data: The Law does not provide a definition of personal data, but it does define sensitive data as any data that reveals racial or ethnic origin, political preferences, health information, religious, philosophical or moral beliefs, sexual orientation, and, in general, data which may promote prejudice and discrimination, or affect the dignity, privacy and the private image of persons or families. 
    Regulator: The Law does not provide for the establishment of a data protection authority.

  • Peru

    Law: Law No. 29.733 on the Protection of Personal Data 2011 (only available in Spanish here) ('the Law') and Supreme Decree No. 003-2013-JUS which Approves the Regulation of Law No. 29733 (only available in Spanish here) ('the Regulation'), as amended by Legislative Decree No. 1353 of 7 January 2017 (only available in Spanish here) and Supreme Decree No. 019-2017-JUS which Approves the Regulation of Legislative Decree No. 1353 (only available in Spanish here).
    Data Controller: The Regulation defines the 'person responsible for the processing' as he who decides on the processing of personal data, even when they are not contained in a database. The Law defines a similar concept; the 'owner of the database' is the natural or legal private person or public entity that determines the purpose and content of the database, the data's processing and the security measures. 
    Data Processor: The Regulation defines the 'person in charge of the processing' as he who processes the data, which may be the owner of the database, the person in charge of the database, or another person on behalf of the owner of the database by virtue of a legal relationship that binds them and delimitates the scope of their activity. This includes whoever processes the data on behalf of the data controller when this is done without the existence of a database. Please note that the Law defines the 'person in charge of the database' as the natural or legal private person or public entity that, alone or jointly with others, processes the personal data on behalf of the owner of the database. 
    Personal Data: The Law defines it as any information concerning a natural person that identifies or makes him/her identifiable by any means that may reasonably be used. The Regulation further defines it as information of a numerical, alphabetical, graphic, photographic or acoustic character, or information related to personal habits, or any other type of information concerning natural persons that identifies them or makes them identifiable by any means that may be reasonably used. 
    Regulator: Peruvian data protection authority ('APDP').

  • Philippines

    Law: The Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act')
    Data Controller: A person or organisation who controls the collection, holding, processing or use of personal information, including a person or organisation who instructs another person or organisation to collect, hold, process, use, transfer or disclose personal information on his or her behalf.
    Data Processor: Any natural or juridical person qualified to act as such and to whom a personal information controller may outsource the processing of personal data pertaining to a data subject. 
    Personal Data: Refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual. 
    Regulator: National Privacy Commission ('NPC')

  • Poland

    Law: Act of 10 May 2018 on the Protection of Personal Data and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    Regulator: Polish data protection authority ('UODO')

  • Portugal

    Law: Law No. 58/2019, which Ensures the Implementation in the National Legal Order of the General Data Protection Regulation (Regulation (EU) 2016/679) on the Protection of Individuals with Regards the Processing of Personal Data and the Free Movement of Such Data (only available in Portuguese here) and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    Regulator: Portuguese data protection authority ('CNPD')

  • Prince Edward Island

    Law: Freedom of Information and Protection of Privacy Act, RSPEI 1988 c F-15.01 ('the Act'). Please note that the Act applies to public bodies only. Private organisations are regulated at federal level by the Personal Information Protection and Electronic Documents Act 2000.

  • Qatar

    Law: Law No. 13 of 2016 Concerning Privacy and Protection of Personal Data (only available in Arabic here).
    Data Controller: A natural or corporate person who individually, or jointly with others, determines the method and purpose of processing personal data. 
    Data Processor: A natural or corporate person who processes personal data for the controller. 
    Personal Data: Information about an individual who has a verified identity, or can be verified reasonably, whether through such information or by combining such information and other data. 
    Regulator: Ministry of Transport and Communications

  • Qatar - QFC

    Law: QFC Data Protection Regulations 2005 and the Data Protection Rules 2005
    Data Controller: Any person in the QFC who alone or jointly with other determines the purposes and means of the processing of personal data. 
    Data Processor: Any person who processes personal data on behalf of a data controller. 
    Personal Data: Any information relating to an identified natural person or an identifiable natural person. 
    Regulator: Qatar Financial Centre Authority ('QFC Regulatory Authority')

  • Quebec

    Law: Act Respecting the Protection of Personal Information in the Private Sector, CQLR c P-39.1 ('the Act')
    Data Controller | Data Processor: There is no definition of data controller or data processor within the Act. The Act applies to any person who, with respect to the personal data of another, collects, holds, uses or communicates such data to third persons, in the course of carrying on an enterprise. 
    Personal Data: Any information which relates to a natural person and allows that person to be identified. 
    Regulator: The Quebec Commission on Access to Information ('CAI')

  • Republic of North Macedonia
    • Drafted

    Law: Law on Personal Data Protection 2005, as amended (a consolidated 2018 version of the Law is also available in Macedonian here)*
    Data Controller: Any natural or legal person, a State or other body, who, independently or together with others, determines the purposes and the ways of personal data processing. When the purposes and the ways of personal data processing are determined by law or any other regulation, the same law or regulation determines the controller or the special criteria for his/her selection. 
    Data Processor: A 'personal data collection processor' is a natural or a legal person or a legally authorised state body processing the personal data on the behalf of the controller. 
    Personal Data: Any information pertaining to an identified or identifiable natural person, the identifiable entity being an entity whose identity can be determined directly or indirectly, especially as according to the unique register number of the citizen or on the basis of one or more characteristics, specific for his/her physical, mental, economic, cultural or social identity. 
    Regulator: Directorate for Personal Data Protection ('DZLP')

    * OneTrust DataGuidance confirmed with Gjorgji Georgiekiski, Partner at ODI.Law and Marija Serafimovska, Associate at ODI.Law, that a draft law on personal data protection (only available in Macedonian here) is currently subject to a public debate, and it is expected to enter parliamentary procedure by the end of 2019.

  • Romania

    Law: Law No. 190 of 18 July 2018 on the Implementation of the General Data Protection Regulation (Regulation (EU) 2016/679) and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    Regulator: National Supervisory Authority for Personal Data Processing ('ANSPDCP')

  • Russian Federation

    Law: Federal Law of 27 July 2006 No. 152-FZ on Personal Data (as amended) (only available in Russian here) ('the Law on Personal Data'). An unofficial English version of the Law on Personal Data is available here.
    Data Controller: The Law on Personal Data defines an 'operator' as a state agency, municipal authority, legal entity or individual who independently or, in cooperation with other entities, organises and/or processes personal data, as well as determines the purposes and scope of personal data processing (Article 3(2) of the Law on Personal Data). DataGuidance confirmed with Maria Ostashenko, Partner at ALRUD Law firm, that this concept is similar to a data controller. 
    Data Processor: There is no definition of data processor in the Law on Personal Data. However, the Law on Personal Data imposes obligations on a person carrying out the processing of personal data on the instructions of an operator (Article 6(3) of the Law on Personal Data). DataGuidance confirmed with Maria Ostashenko, Partner at ALRUD Law firm, that this concept is similar to a data processor. 
    Personal Data: Any information referring directly or indirectly to a particular or identified individual (a personal data subject). 
    Regulator: The Federal Service for Supervision of Communications, Information Technology, and Mass Media ('Roskomnadzor') 
    Contributor: Maria Ostashenko, Partner at ALRUD Law Firm.

  • Rwanda
    • Drafted

    Law: DataGuidance confirmed with Dr. Patricia Boshe, that currently a Draft Data Protection Law ('the Draft Law') is under discussion in Rwanda.
    Data Controller: a public or private body or any other person which or who, alone or together with others, determines the purpose of and means for processing personal information, regardless of whether or not such data is processed by that party or by a data processor on its behalf, where the purpose and means of processing are determined by or by virtue of an act,  or law, the controller is the natural person, legal person or public body has been designated as such by or by virtue of that act, or law.
    Data Processor: a natural person, legal person, or public body which processes personal information for and on behalf of the controller and under the data controller’s instruction, except for the persons who, under the direct authority of the controller, are authorised to process the data.
    Personal Data: information about an identifiable individual that is recorded in any form.
    Regulator: Data Protection Commission has not yet been established.

  • Réunion

    Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (only available in French here) and the General Data Protection Regulation (Regulation (EU) 2016/679)*
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: French data protection authority ('CNIL')

    *CNIL released, on 13 July 2018, a statement on the applicability of French data protection law to overseas territories.

  • Saint Barthélemy

    Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (only available in French here)*
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: French data protection authority ('CNIL')

    *CNIL released, on 13 July 2018, a statement on the applicability of French data protection law to overseas territories.

  • Saint Kitts and Nevis
    • Announced

    The Data Protection Act 2018 ('the Act') has been Published in the Official Gazette No. 31 on 7 June 2018. OneTrust DataGuidance Confirmed with Karen Hughes, Senior Parliamentary Counsel in the Ministry of Justice and Legal Affairs of Saint Kitts and Nevis, "We would not be able to indicate at this point when the Act will enter into force although the matter is currently under the active consideration of the Government's policy makers."

     

  • Saint Lucia

    The Data Protection Act 2011 ('the Act') was adopted in 2011, and was amended in 2015 by the Data Protection (Amendment) Act 2014. A copy of the Act is not publicly available.

  • Saint Pierre and Miquelon

    Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (only available in French here)*
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: French data protection authority ('CNIL')

    *CNIL released, on 13 July 2018, a statement on the applicability of French data protection law to overseas territories.

  • Saint Vincent and the Grenadines

    Saint Vincent and the Grenadines adopted the Privacy Act No. 18 of 2003, but it is only applicable to the public sector and will not enter into force until a date of commencement is set. A copy of the Act is not publicly available.

  • San Marino

    Law: Law 21 December 2018 No. 171, Protection of Individuals with Regard to the Processing of Personal Data (only available for download in Italian here) ('the Law')
    Data Controller: A natural or legal person, public authority, manager of the service or other body that, individually or together with others, determines the purposes and means of the processing of personal data and the means used, including security aspects.
    Data Processor: A natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller.
    Personal Data: Any information concerning an identified or identifiable natural person ('data subject'); it is identifiable the natural person who can be identified, directly or indirectly, with particular reference to an identifier such as aname, an identification number, location data, an online identifier or one or more characteristic elements of his physical, physiological, genetic, mental, economic, cultural or social identity. 
    Regulator: San Marino data protection authority ('Garante')

  • Saskatchewan

    Law: The Freedom of Information and Protection of Privacy Act, SS 1990-91 c F-22.01 ('the Act'). Please note that the Act applies to public bodies only. Private organisations are regulated at federal level by the Personal Information Protection and Electronic Documents Act 2000.

  • Saudi Arabia

    There is no general data protection law in place.

    In the absence of a specific data protection law, there is no dedicated privacy regulator. The Communications and Information Technology Commission regulates the wider information and communications technology sector and the National Cybersecurity Authority was established in 2017 with a more specific mandate around cybersecurity. Other regulatory authorities in the area of technology and information include the Ministry of Communications and Information Technology, the Ministry of Media and the General Commission for Audiovisual Media. None of the above have issued any specific guidance on the matter.

  • Senegal

    Law: Law No 2008-12 of 25 January 2008 Concerning Personal Data Protection
    Data Controller: A party 'responsible for the processing' is the natural or legal person, public or private, any other organism or association which, alone or jointly with others, decides to collect and to process personal data and determines the purposes. 
    Data Processor: A 'subcontractor' is any natural or legal entity, public or private, any other body or association which processes data for the person in charge of the treatment. 
    Personal Data: Any relative information for one person identified or recognisable physical appearance directly or indirectly, in reference to a number of identification or in reference to one or several elements, appropriate to his physical, physiological, genetic, psychic, cultural, social or economic identity. 
    Regulator: The Senegalese data protection authority ('CDP')

  • Serbia

    Law: Law on Protection of Personal Data 2018 (Official Gazette of the Republic of Serbia, No. 87/2018) (only available in Serbian here) ('the Law')
    Data Controller: A natural person, legal entity or public authority responsible for data processing.
    Data Processor: Any natural person, legal entity or public authority to whom/which a controller delegates certain processing-related duties under the Law or on the basis of a contract. 
    Personal Data: Any information relating to a natural person, regardless of the form of its presentation or the medium used (paper, tape, film, electronic media etc.), regardless on whose order, on whose behalf or for whose account such information is stored, regardless of the date of its creation or the place of its storage, regardless of the way in which such information is learned (directly, by listening, watching etc., or indirectly, by accessing a document containing the information etc.) and regardless of any other characteristic of such information.
    Regulator: Commissioner for Information of Public Importance and Personal Data Protection ('Poverenik')

  • Seychelles

    Law: Data Protection Act, 2002 ('the Act'). There is currently no publicly available copy of the Act. Please note that the Act has not yet entered into force. 
    Data Controller | Processor: A 'data user' is a person who holds data, and a person 'holds' data if (a) the data form part of a collection of data processed or intended to be processed by or on behalf of that person; (b) that person (either alone or jointly or in common with other persons) controls the contents and use of the data comprised in the collection, and (c) the data are in the form in which they have been or are intended to be processed as mentioned in paragraph (a) or (though not for the time being in that form) in a form into which they have been converted after being so processed and with a view to being further so processed on a subsequent occasion. 
    Personal Data: Data consisting of information which relates to a living individual who can be identified from that information (or from that and other information in the possession of the data user), including any expression of opinion about the individual but not any indication of the intentions of the data user in respect of that individual. 
    Regulator: The regulator has not yet been established.

  • Sierra Leone

    Currently, there is no data protection law in Sierra Leone. However, Article 8 of the Telecommunications Act 2006 provides for the protection of data on computer files and their transmission and to safeguard the secrecy of telecommunications and the protection of personal data in collaboration with the telecommunications network operators.

  • Singapore

    Law: Personal Data Protection Act 2012 (No. 26 of 2012) ('PDPA')
    Data Controller: There is no definition of data controller. The PDPA applies to 'organisations,' which collect, use or disclose personal data.  The term 'organisation' broadly covers natural persons, corporate bodies (such as companies) and unincorporated bodies of persons (such as associations), regardless of whether they are formed or recognised under the law of Singapore, or are resident or have an office or place of business in Singapore.
    Data Processor: There is no definition of data processor. A 'data intermediary' is an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation. Data intermediary' refers to an organisation which processes personal data on behalf of another organisation but does not include an employee of that other organisation. 'Processing,' in relation to personal data, means the carrying out of any operation or set of operations in relation to the personal data, and includes any of the following: recording; holding; organisation, adaptation or alteration; retrieval; combination; transmission; erasure or destruction.
    Personal Data: Data, whether true or not, about an individual who can be identified (a) from that data or (b) from that data and other information to which the organisation has or is likely to have access. This applies regardless of whether such data is in electronic or other form, regardless of the degree of sensitivity.
    Regulator: Personal Data Protection Commission ('PDPC')

  • Sint Maarten

    Law: National Ordinance on Personal Data Protection 2010
    Data Controller: The 'responsible party' is defined as the natural or legal entity or any other person or administrative authority who or that, alone or in cooperation with others, determines the purposes of and resources for the processing of personal data. 
    Data Processor: The person who processes data on behalf of the data controller, without being subject to the direct authority of the latter. 
    Personal Data: Information concerning an identified or identifiable natural person. 
    Regulator: The Commission for the Supervision of Data Protection has not been established yet.

  • Slovakia

    Law: Act No. 18/2018 Coll. on Protection of Personal Data and on Amendments to certain Acts and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    Regulator: Office for Personal Data Protection of the Slovak Republic ('ÚOOÚ')

  • Slovenia
    • Drafted

    Law: Personal Data Protection Act 2004* and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Information Commissioner

    *The Ministry of Justice released, on 4 October 2017, a Draft Law on the Protection of Personal Data (ZVOP-2) for public consultation, only available in Slovenian here.

  • Somalia

    No further information currently available.

  • South Africa

    Law: Protection of Personal Information Act, 2013 (Act 4 of 2013). Please note that not all provisions of POPIA are currently in force.
    Data Controller: A 'responsible party' is any public or private body or any other person, which alone or in conjunction with others, determines the purpose of and means for processing personal information. 
    Data Processor: An 'operator' is any person who processes personal information for a responsible party in terms of a contract or mandate, without coming under the direct authority of the party. 
    Personal Data: Information relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to a) information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person; b) information relating to the education or the medical, financial, criminal or employment history of the person; c) any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person; d) the biometric information of the person; e) the personal opinions, views or preferences of the person; f) correspondence sent by the person that is implicitly or explicitly of a private or confidential nature or further correspondence that would reveal the contents of the original correspondence; g) the views or opinions of another individual about the person; and, h) the name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal information about the person. 
    Regulator: The Information Regulator

    *Members of the Information Regulator were appointed with effect from 1 December 2016. DataGuidance confirmed, on 27 March 2019, with the Information Regulator, that the Information Regulator is not yet in full operation and a date for when it will be operationally ready is not currently known.

  • South Korea

    Law: Personal Information Protection Act 2011 ('PIPA')
    Data Controller: A 'personal information controller' is a public institution, legal person, organisation, individual, etc., that directly or indirectly processes personal information to operate personal information files for official or business purposes (Article 2(5) of PIPA)
    Data Processor: PIPA refers to a 'handler of personal information', an individual who processes personal information under the supervision of the personal information controller (Article 28(1) of PIPA). 
    Personal Data: The information pertaining to any living person that makes it possible to identify such individual by, among other things, his/her name and resident registration number, image (including the information which, if not by itself, makes it possible to identify any specific individual if combined with other information)
    Regulator: Personal Information Protection Commission ('PIPC')

  • South Sudan

    Currently, there is no data protection law in South Sudan. Article 22 of the Transitional Constitution of South Sudan, 2011 guarantees the right to privacy.

  • Spain

    Law: Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (only available in Spanish here) and General Data Protection Regulation (Regulation (EU) 2016/679) 
    Data Controller: A natural or legal person, whether public or private, or administrative body which determines the purpose, content and use of the processing. 
    Data Processor: A natural or legal person, public authority, service or any other body which alone or jointly with others processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  
    Regulator: Spanish data protection authority ('AEPD')

  • Sri Lanka
    • Drafted

    The Ministry of Digital Infrastructure and Information Technology ('MDIIT') announced, on 24 September 2019, that the proposed personal data protection legislation ('the Bill') had been finalised, following a draft framework on the same ('the Framework'). In particular, the MDIIT noted that the Bill would be implemented in stages, and would come into operation within three years from the date it is certified by the Speaker of the Parliament. Moreover, the MDIIT outlined that the data protection authority provided for in the Bill would be established within 18 months.

  • Sudan

    Currently, there is no data protection law in Sudan. Article 9 of the Electronic Transactions Act 2007 provides for secrecy of electronic data, and states that a service provider must have in place steps and procedures for protection of information by all means and available technologies.

  • Suriname

    No further information currently available.

  • Sweden

    Law: Law 2018:218 with Additional Provisions to the GDPR (only available in Swedish here) and General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    Personal Data: Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    Regulator: Swedish data protection authority ('Datainspektionen')

  • Switzerland

    Law: Federal Act on Data Protection 1992 ('FADP')
    Data Controller: Private persons or federal bodies that decide on the purpose and content of a data file. 
    Data Processor: There is no definition of data processor within the FADP. 
    Personal Data: All information relating to an identified or identifiable person. 
    Regulator: Federal Data Protection and Information Commissioner ('FDPIC')

  • São Tomé and Príncipe

    Law: Law No. 03/2016 on the Protection of Personal Data (only available in Portuguese here)
    Data Controller: Any natural or legal person that determines the purposes for which personal data are to be processed and the means through which this will be done. 
    Data Processor: A natural or legal person that processes personal data on behalf of a data controller. 
    Personal Data: Any information, regardless of its nature or the media on which it is stored, including sound and image, relating to an identifiable natural person (referred to as 'the data subject'). Natural persons are deemed to be identifiable whenever they can be directly or indirectly identified through such information (namely, by a reference to an identification number or to one or more specific elements of their physical, psychological, economic, cultural or social elements). 
    Regulator: DataGuidance confirmed with João Luís Traça, Partner at Miranda & Associados, on 24 October 2018, that the São Tomé and Príncipe Data Protection Agency ('ANPDP') had become fully operational.

     

  • Taiwan

    Law: Personal Data Protection Act 2010 (as amended in 2015) ('PDPA')
    Data Controller | Data Processor: There is no definition of either data controller or data processor. PDPA applies to non-government agencies which are natural persons, juridical persons or groups. The PDPA simply subjects the 'government agency' and the 'non-government agency' to two different sets of rules in regard to personal data related activities.​
    ​​​​​​Personal Data: The name, date of birth, ID card number, passport number, characteristics, fingerprints, marital status, family, education, occupation, medical record, medical treatment, genetic information, sexual life, health examination, criminal record, contact information, financial conditions, social activities and other information which may be used to identify a natural person, both directly and indirectly. 
    Regulator: There is no single regulator in place, however, the Ministry of Justice ('MoJ') plays a role in interpreting PIPA as well as coordinating the activities of the various ministries, local authorities and sectoral regulators tasked with administering PIPA within their respective competencies.

  • Tajikistan

    Law: Law of 3 August 2018 No.1537 on Protection of Personal Data (available in Tajik here and Russian here) ('Law on Personal Data').
    Data Controller: A holder of personal data means state agency, legal entity or natural person, who has right to possession, use and disposal of database according to Tajik legislation.
    Data Processor: State agency, legal entity or natural person, that performs processing and protection of personal data based on Tajik legislation or agreement with the holder. 
    Personal Data: Information on facts, events and life circumstances of personal data subject, allowing the identification of his personality.
    Regulator: A regulator for protection of personal data has not yet been established.

    Contributor: Sarvinoz Salomzoda

  • Tanzania
    • Drafted

    DataGuidance spoke with Patricia Boshe, Advocate/Lecturer at the Open University of Tanzania, on 6 July 2016, who confirmed that the Tanzanian Government is currently seeking to make changes to the draft data protection bill that was initially produced in 2013 and was last revised in 2014.

  • Thailand

    Law: Personal Data Protection Act 2019 ('PDPA')

    Data Controller: an individual or entity that has the authority to decide about the collection, use or disclosure of personal information.

    Data Processor: an individual or entity that collects, uses or discloses personal information on behalf of the individual or entity that controls the personal information (the data controller).

    Personal Data: any information about persons that can be used to identify that person, whether directly or indirectly but not including the information of the deceased.

    Regulator: The Personal Data Protection Committee ('PDPC')

  • The Gambia

    Law: Data protection provisions are included in Part XIII of the Information and Communications Act, 2009 ('the Act') . The Act concerns data processing in the context of the provision of information and communication services only.
    Data Controller: There is no definition of data controller in the Act.
    Data Processor: There is no definition of data processor in the Act.
    Personal Data: There is no definition of personal data in the Act.
    Supervisory Authority: Gambia Public Utilities Regulatory Authority ('PURA')

  • Togo

    Law: Law No. 2019-014 Relating to the Protection of Personal Data (only available in French here) ('the Law')

    Data Controller: Any natural person or public or private, any other body or association which, alone or in conjunction with others, takes the decision to collect and process data of a person and determines the purposes of processing.

    Data Processor: A 'subcontractor' is any natural or legal person, public or private, any other organisation or association who processes data on behalf of the person in charge of the processing.

    Personal Data: Any information relating to an identified or identifiable natural person directly or indirectly by reference to a number identification or to one or more elements specific to its physical, physiological, genetic, psychic, cultural, social or economic identity.

    Regulator: Togolese data protection authority ('IPDCP')

  • Trinidad and Tobago
    • Consulting

    Law: Data Protection Act, 2011 ('the Act'). Not all the Act's provisions are in force. The Act was partially proclaimed by Legal Notice 2 of 2012 (downloadable here). Moreover, in October 2016, the Government announced it would be consulting on amending the Act. 
    Data Controller | Data Processor: There are no definitions of data controller or data processor in the Act. However, Section 69 states that a person who (a) collects, retains, manages, uses, processes or stores personal information in Trinidad and Tobago; (b) collects personal information from individuals in Trinidad and Tobago; or (c) uses an intermediary or telecommunications service provider located in Trinidad and Tobago to provide a service in furtherance of paragraph (a) or (b), shall follow the General Privacy Principles set out in Section 6 when dealing with personal information. 
    Personal Data: Personal information is defined as information about an identifiable individual that is recorded in any form including (a) information relating to the race, nationality or ethnic origin, religion, age or marital status of the individual; (b) information relating to the education or the medical, criminal or employment history of the individual or information relating to the financial transactions in which the individual has been involved or which refers to the individual; (c) any identifying number, symbol or other particular designed to identify the individual; (d) the address and telephone contact number of the individual; (e) the name of the individual where it appears with other personal information relating to the individual or where the disclosure of the name itself would reveal information about the individual; (f) correspondence sent to an establishment by the individual that is explicitly or implicitly of a private or confidential nature, and any replies to such correspondence which would reveal the contents of the original correspondence; (g) the views and opinions of any other person about the individual; or (h) the fingerprints, deoxyribonucleic acid, blood type or the biometric characteristics of the individual. 
    Regulator: Office of the Information Commissioner. There is currently no information available as to its establishment.

  • Tunisia
    • Drafted

    Law: Organic Act no 2004-63 of July 27th 2004 on the Protection of Personal Data (only available in French and Arabic, here).
    Data Controller: Any natural or legal person that determines the objectives and means of data processing. 
    Data Processor: Any natural or legal person processing personal data on behalf of the data controller. 
    Personal Data: Any information, regardless of its origin or form which directly or indirectly identifies a person or allows a person to become identifiable through various symbols or data except information related to public life or considered as such by the law. 
    Regulator: Tunisian data protection authority ('INPDP')

    *The INPDP published a draft data protection law on its website (only available in French and Arabic here)

  • Turkey

    Law: Law on Protection of Personal Data No. 6698
    Data Controller: The natural or legal person who determines the ends and means of the processing of personal data and who is responsible for the establishment and management of the filing system.
    Data Processor: The natural or legal person who processes personal data based on the authority granted by the controller on his behalf.
    Personal Data: Any kind of information relating to an identified or identifiable person. 
    Regulator: Personal Data Protection Authority ('KVKK')

  • Turkmenistan

    Law: Law of Turkmenistan of 20 March 2017 on Information on Private Life and its Protection No. 519-V (only available in Russian here) ('the Law on Information')
    Data Controller | Data Processor: Operator of base of personal data ('the operator') includes state bodies and other legal or natural persons collecting, processing and protecting personal information, as well as defining the goals and content of these actions.
    Personal Data: Any information relating to an individual or determined on the basis of such information recorded on electronic, paper or other tangible medium.
    Regulator: The Cabinet of Ministers of Turkmenistan 

  • UAE

    Whilst the United Arab Emirates does not currently have a federal data protection law, separate legal regimes apply to its special economic zones, also known as 'free zones': the Dubai International Financial Centre ('DIFC'), the Abu Dhabi Global Market ('ADGM') and the Dubai Healthcare City ('DHCC').

  • UAE - ADGM

    Law: Data Protection Regulations 2015 and Data Protection (Amendment) Regulations 2018.
    Data Controller: Any person in the Abu Dhabi Global Market (excluding a natural person acting in his capacity as a staff member) who alone or jointly with others determines the purposes and means of the processing of personal data.
    Data Processor:  Any person (excluding a natural person acting in his capacity as a staff member) who processes personal data on behalf of a data controller. 
    Personal Data: Any data relating to an identified natural person or identifiable natural person.  
    Regulator: The ADGM Registration Authority, the Board of Directors of the ADGM and the Office of Data Protection.

  • UAE - DIFC

    Law: Data Protection Law DIFC Law No.1 of 2007 amended by DIFC Laws Amendment Law, DIFC Law No. 1 of 2018 and Data Protection Regulations 2018.
    Data Controller: Any person in the DIFC who alone or jointly with others determines the purposes and means of the processing of personal data. 
    Data Processor: Any person who processes personal data on behalf of a data controller. 
    Personal Data: Any data referring to an identifiable natural person. 
    Regulator: The Commissioner of Data Protection.

  • Uganda

    Law: Data Protection and Privacy Act, 2019
    Data Controller: A person who alone, jointly with other persons or in common with other persons or as a statutory duty determines the purposes for and the manner in which personal data is processed or is to be processed. 
    Data Processor: A person other than an employee of the data controller who processes the data on behalf of the data controller. 
    Personal Data: Information about a person from which the person can be identified that is recorded in any form and includes – (a) data that related to the nationality, age or marital status of the person; (b) data that relates to the educational level, or occupation of the person or data that relates to a financial transaction in which the person has been involved; (c) an identification number, symbol or other particulars assigned to the person; (d) identity data; and (e) other information which is in the possession of, or is likely to come into the possession of the data controller, and includes an expression of opinion about the individual. 
    Regulator: The National Information Technology Authority - Uganda ('NITA - U')

  • UK

    Law: Data Protection Act 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679)
    Data Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. 
    Personal Data: Any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 
    Regulator: The Information Commissioner's Office ('ICO')

  • Ukraine

    Law: Law of 1 June 2010 No. 2297-VI on Personal Data Protection (as amended) (only available in Ukrainian here).
    Data Controller: individuals or legal entities that determine, the goals of the personal data processing, and the amount and method of processing.
    Data Processor: individuals or legal entities authorised by the data controller or by applicable laws to process personal data.
    Personal Data: data or the collection of data, relating to an identified or specifically identifiable natural person.
    Regulator: The Ukraine Parliamentary Commissioner for Human Rights ('the Commissioner')

  • Uruguay

    Law: Law No. 18.331 on the Protection of Personal Data and the Habeas Data Action 2008 (only available in Spanish here) and Decree No. 414/009 Regulating Law 18.331 Relating to the Protection of Personal Data (only available in Spanish here)*.
    Data Controller: The 'person responsible for the database or processing' is the natural or legal person, public or private, who is the owner of the database or who decides on the purpose, content and use of the processing. 
    Data Processor: The 'person in charge of the processing' is a natural or legal person, public or private, that either alone or in conjunction with others processes the personal data on behalf of the data controller. 
    Personal Data: Information of any kind referring to identified or identifiable natural or legal persons. 
    Regulator: Uruguayan data protection authority ('URCDP').

    *DataGuidance confirmed, on 15 August 2018, with Ana Brian Nougrères, Director and Principal Consultant at Estudio Jurídico Briann & Asociados, that a bill on accountability and budget ('the Bill') (only available in Spanish here), which includes five articles relating to data protection, is currently being analysed by the Parliament of Uruguay. You can find further information here.

  • USA Federal

    Law: There is no general data privacy law in place but rather a multitude of federal and state privacy laws. Some of these privacy laws are focused on particular industries, whereas others may concern particular activities or particular data subjects. These privacy laws include, but are not limited to:

    1. Health Insurance Portability and Accountability Act of 1996 ('HIPAA')
    2. Health Information Technology for Economic and Clinical Health Act of 2009 ('HITECH')
    3. Gramm-Leach-Bliley Act of 1999 ('GLBA')
    4. Electronic Communications Privacy Act of 1986 ('ECPA')
    5. Fair Credit Reporting Act of 1970 ('FCRA')
    6. Children's Online Privacy Protection Act of 1998 ('COPPA')

    Draft Law: There have been numerous proposals over the years for a general data privacy law, but none have been passed by the U.S. Congress thus far.
    Regulator: There is no official federal data privacy authority. However, various federal agencies ensure organisations' compliance with the respective federal privacy laws. 

     

  • USA State

    Law: There are three general data privacy laws at a state level. California passed, on 28 June 2018, the California Consumer Privacy Act of 2018 which will come into effect on 1 January 2020. Maine passed, on 6 June 2019, Legislative Document 946 for An Act to Protect the Privacy of Online Customer Information, which will come into effect on 1 July 2020. Finally, Nevada passed, on 29 May 2019, Senate Bill 220 for an Act Relating to Internet Privacy, which amends Chapter 603A of the Nevada Revised Statutes on Security and Privacy of Personal Information and entered into effect on 1 October 2019. In addition, all U.S. states have enacted data breach notification laws, and Washington, Texas and Illinois have enacted laws regulating biometric information. 
    Draft Law: There are a number of proposals and draft bills that are under consideration across the states, and which address a multitude of general and sector-specific data protection issues. 
    Regulator: There are no official state data protection authorities. However, the state Attorneys General are responsible for consumer protection, including the enforcement of state and federal data protection laws.

  • Uzbekistan

    Law: The Law of the Republic of Uzbekistan On Personal Data No. ЗРУ-547 dated 2 July 2019 (only available in Russian here) ('the Law on Personal Data') came into effect on 1 October 2019.
    Data Controller: A personal database owner is a state body, an individual and/or legal entity possessing the right to own, use and dispose a personal data base.
    Data Processor: A personal database operator is a state body, an individual and/or legal entity that processes personal data.
    Personal Data: Information recorded on electronic, paper, and/or other tangible media relating to a specific individual or enabling identification thereof.
    Regulator: The State Personalisation Centre of Uzbekistan and the Cabinet of Ministers of the Republic of Uzbekistan

  • Venezuela

    DataGuidance confirmed, on 19 September 2018, with María Eugenia Salazar and Héctor Martínez, Partner and Associate respectively at Baker McKenzie, that there is currently no general data protection law in Venezuela. Salazar and Martínez noted, "Venezuela is now in a constitutional reform procedure. Thus, legal developments on data protection may arise."

  • Vietnam

    Currently, there is no comprehensive data protection law in Vietnam. However, the Law on Cyber Information Security No. 86/2015/QH13 dated November 19, 2015 ('LCIS'), and the Law on Cybersecurity No. 24/2018/QH14 dated June 12, 2018 ('Cybersecurity Law') (only available to download in Vietnamese here) primarily govern data protection in Vietnam.

  • Wallis and Futuna

    Law: Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties*
    Data Controller: A person, public authority, department or any other organisation who determines the purposes and means of the data processing.
    Data Processor: A person who acts under the authority of the data controller or that of the processor, may process personal data only under the data controller’s instructions.
    Personal Data: Any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to them. In order to determine whether a person is identifiable, all the means that the data controller or any other person uses or may have access to should be taken into consideration.
    Regulator: French data protection authority ('CNIL')

    *CNIL released, on 13 July 2018, a statement on the applicability of French data protection law to overseas territories.

  • Yukon

    Law: Access to Information and Protection of Privacy Act, RSY 2002 c 1 ('the Act'). Please note that the Act applies to public bodies only. Private organisations are regulated at federal level by the Personal Information Protection and Electronic Documents Act 2000.

  • Zambia
    • Drafted

    DataGuidance confirmed with Alex B. Makulilo, Professor of Law and Technology at the Open University of Tanzania, that Zambia has a draft data protection bill. No further information is currently available. 

  • Zimbabwe
    • Drafted

    Law: Data Protection Bill 2016 (‘the Bill’)
    Data Controller: The Bill defines it as any natural person and legal person excluding a public body which alone or jointly with others determines the purpose and means of processing of personal data. Where the purpose and means of processing are determined by or by virtue of an act, decree or ordinance, the controller is the natural person, legal person or public body designated as such by virtue of that act, decree or ordinance.
    Data Processor: The Bill defines it as any natural or legal person, which processes personal data for and on behalf of the controller and under the data controller’s instruction, except for the persons who, under the direct employment or similar authority of the controller, are authorised to process the data.
    Personal data: The Bill defines it as any information relating to a data subject, and includes - the person's name, address or telephone number; the person's race, national or ethnic origin, colour, religious or political beliefs or associations; the person's age, sex, sexual orientation, marital status or family status; an identifying number, symbol or other particulars assigned to that person; fingerprints, blood type or inheritable characteristics; information about a person’s health care history, including a physical or mental disability; information about educational, financial, criminal or employment history; opinions expressed about an identifiable person; the individual’s personal views or opinions, except if they are about someone else; personal correspondence pertaining to home and family life.
    Regulator: The Data Protection Authority of Zimbabwe has not been established yet.