October 2023

1. Governing Texts

On October 10, 2018, Lebanon enacted Law No. 81 of 10 October 2018 on Electronic Transaction and Personal Data (only available in Arabic here) ('the Law'). The Law contains provisions on data protection that are applicable in the Republic of Lebanon.

In addition, the right to privacy is recognized by the Constitutional Council ('the Council') as a constitutional right.

1.1. Key acts, regulations, directives, bills

Prior to the enactment of the Law, Lebanon did not have specific provisions pertaining to the protection of personal data, and the legal landscape was characterized by the lack of any statute dealing specifically with the issue of data protection. The Law contains provisions on data protection in Title 5 which is entitled 'Protection of Personal Data'.

This title is composed of the following chapters:

• Chapter 1: General Provisions;
• Chapter 2: Collection and processing of personal data;
• Chapter 3: Required Procedure to enact the processing of personal data;
• Chapter 4: The Right to access and rectify; and 
• Chapter 5: Criminal Provisions.

Right to privacy

The right to privacy is recognized by the Council as a constitutional right.

It is also recognized by the following provisions which are considered an integral part of the Lebanese Constitution (only available in Arabic here):

• Article 12 of the Universal Declaration of Human Rights;
• Article 17 of the International Covenant on Civil and Political Rights; and
• Article 16 of the Arab Charter on Human Rights.

Professional Secrecy in the Criminal Code

Articles 579 to 581 of the Code of Criminal Procedure (only available in Arabic here) provide sanctions in case of disclosure of professional secrets.

1.2. Guidelines

Not applicable.

1.3. Case law

There is no known case law pertaining to the data protection provisions of the Law.

2. Scope of Application

2.1. Personal scope

The Law applies to the processing of the personal data of identifiable natural persons (Article 1 of the Law). The Law determines the rights of the natural persons whose data is being processed (Article 1 of the Law). The Law also determines the obligations of data controllers who are the natural persons or legal entities that determine the purposes and methods of data processing (Article 1 of the Law).

2.2. Territorial scope

The territorial scope of the provisions on personal data protection is not clearly determined by the Law. Article 85 of the Law suggests that its provisions are applicable to the processing of personal data that is carried out in the Republic of Lebanon. The Law does not explicitly provide for the extraterritorial application of any data protection provisions.

2.3. Material scope

The provisions of the Law apply to any automated or non-automated processing of personal data (Article 85 of the Law). However, the provisions of the Law are not applicable to data processing related to personal activities undertaken by the individual for their exclusive personal needs (Article 85 of the Law).

Special categories for which data processing is prohibited, except within the limited scope prescribed, are found in Article 91 of the Law. They include data that relates to health issues, genetic identity, and sex life of the data subject.

It should be noted that parties cannot agree to displace the application of the provisions that govern the rights of individuals concerned with data processing or the obligations of the persons responsible for such processing (Article 85 of the Law).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The Law does not provide for the creation of an independent public authority that supervises the application of the data protection law. In effect, Lebanon does not have an independent data protection authority.

Article 102 of the Law provides that the data subject may seek legal recourse before local courts to protect their rights to access and rectify the collected personal data and guarantee the application of the provisions of the Law.

It should be noted that Article 95 of the Law provides for the requirement of a declaration submitted to the Ministry of Economy and Trade ('MoET') for the collection and processing of personal data that is not exempt from the declaration requirement by Article 94 of the Law. In addition, Article 97 of the Law provides for the requirement of a special license delivered by the MoET for the collection and processing of personal data related to:

• foreign and national state security matters determined by a joint decision of the Ministry of National Defence ('MoND') and the Ministry of Interior and Municipalities ('MoIM');
• crimes and judicial cases determined by a decision of the Ministry of Justice ('MoJ'); and
• health issues, genetic identity, and sex life determined by the Ministry of Public Health ('MoPH').

3.2. Main powers, duties and responsibilities

There is no independent main regulator for data protection in Lebanon.

The MoET is authorized to receive declarations related to the collection and processing of personal data that is not exempt from the declaration requirement by Article 94 of the Law (Article 95 of the Law). The MoET is also authorized to deliver a special license for the collection and processing of the personal data mentioned in Article 97 of the Law).

4. Key Definitions

Data controller: This means the natural or legal person who determines the purposes and means of the processing of personal data (Article 1 of the Law).

Data processor: The Law does not provide a definition of data processor.

Personal data: Any information related to a physical person that enables their identification, directly or indirectly, including by comparing information collected from various sources or by cross-checking various information (Article 1 of the Law).

Sensitive data: The Law does not provide a definition of sensitive data. However, data related to the health, genetic identity, and sex life of an individual is subject to specific provisions (See Articles 91 and 97 of the Law).

Health data: The Law does not provide a definition of health data. However, data related to the health, genetic identity, and sex life of an individual is subject to specific provisions (See Articles 91 and 97 of the Law).

Biometric data: The Law does not provide a definition of biometric data.

Pseudonymization: The Law does not provide a definition of pseudonymization.

5. Legal Bases

The Law does not specifically require that the controller identify a legal basis prior to the collection and processing of personal data. Instead, the Law requires that data be processed according to various principles established under the Law and provides data subjects with the general right to review and object to the processing of their personal data, with some exceptions.

Article 91 of the Law prohibits the processing of personal data related to the health issues, genetic identity, and sex life of the data subject unless the data subject has explicitly authorized the processing of such data.

5.1. Consent

The Law does not provide any definition of consent or any specific provision pertaining to the requirement of consent for the processing of personal data or any provisions pertaining to the conditions of consent.

Article 94 of the Law exempts the data controller from the obligation of declaration described in Article 95 of the Law, in case the data subject consents to the collection and processing of their personal data.

5.2. Contract with the data subject

The Law does not contain any specific provision related to the contract with the data subject.

5.3. Legal obligations

Article 92 of the Law provides that the data subject is precluded from objecting to the collection and processing of their personal data in case the data controller is under a legal obligation to collect such data or the data subject, and where it necessary to prove or defend a right in court proceedings. 

5.4. Interests of the data subject

Article 91 of the Law prohibits the processing of personal data related to the health issues, genetic identity, and sex life of the data subject. This prohibition is waived in the following cases:

• where the data subject has made the information publicly available or has explicitly consented to the processing of such data;
• where the collection and processing of such data are necessary to diagnose the data subject or administer treatment by a medical professional; and 
• where the data controller has received authorization in accordance with Article 97 of the Law.

5.5. Public interest

Article 87 of the Law provides that the data controller cannot process personal data for purposes that do not coincide with the declared purposes unless the data processing relates to statistical, historical, or scientific purposes.  

Article 94 of the Law exempts from the obligation of declaration and/or the obligation to seek a license for the processing of personal data:

• by public legal entities;
• by a non-profit association; and
• for the purposes of updating records that aim to inform the public and that can be accessed by any person who has a legitimate interest.

5.6. Legitimate interests of the data controller

The Law does not contain any provision related to the data controller's legitimate interests.

5.7. Legal bases in other instances

Not applicable.

6. Principles

The principles of data protection mentioned in the Law are as follows:

• principle of purpose limitation (Article 87 of the Law);
• principle of safe, lawful, specific, and transparent processing (Article 87 of the Law);
• principle of accuracy (Article 87 of the Law);
• principle of proportionality (Article 87 of the Law);
• principle of storage limitation (Article 90 of the Law);
• principle of security (Article 93 of the Law); and
• principle of confidentiality (Article 106 of the Law).

7. Controller and Processor Obligations

The Law imposes on the data controller the following legal obligations:

• obligation to collect data safely and for legitimate, determined, and explicit purposes: Article 87 of the Law provides that personal data is to be collected safely and for legitimate, determined, and explicit purposes. The collected and processed personal data must be adequate and proportionate to the declared purposes. The personal data must be correct, complete, and up to date. The data controller cannot process personal data for purposes that do not coincide with the declared purposes unless the data processing relates to statistical, historical, or scientific purposes; 
• obligation to guarantee the safety of the collected personal data: Article 93 of the Law imposes an obligation to guarantee the safety, security, and integrity of the collected data;
• obligation of declaration to the MoET: Article 95 of the Law imposes on the data controller an obligation to declare to the MoET the intent to collect and process personal data that is not covered by Article 94 of the Law; and
• obligation to seek a license: Article 97 of the Law imposes on the data controller an obligation to seek a license from the MoET to collect and process personal data related to foreign and national state security matters determined by a joint decision of the MoND and the MoIM; crimes and judicial cases determined by a decision of the MoJ; and health issues, genetic identity, and sex life as determined by the MoPH.

7.1. Data processing notification

Article 95 of the Law provides for the requirement of a declaration submitted to the MoET for the collection and processing of personal data. Article 96 of the Law provides the format and content requirements of such declaration. The format and content of the declaration include (Article 96 of the Law):

• objectives of the process;
• personal data, and the source thereof, under processing;
• categories of personal data concerned;
• third parties, or the categories thereof, who can view the data;
• data retention period;
• identity and address of the data processing officer;
• identity and address of the data processing officer in the event the said officer is residing outside the Lebanese territory;
• agency or agencies assigned with implementing the processing;
• person or agency exercising the right of access and how they exercise the said right;
• subcontractor, if any;
• method of access, or any other form of connection between data and other processes as well as possible data waivers to third parties where appropriate;
• actions taken to ensure the integrity of personal data and to ensure the preservation of secrets protected under law, which are to be properly implemented by the data processing officer; and
• emphasizing that the processing shall be carried out in accordance with the law.

In addition, Article 97 of the Law provides for the requirement of a special license delivered by the MoET for the collection and processing of personal data related to:

• foreign and national state security matters determined by a joint decision of the MoND and the MoIM;
• crimes and judicial cases determined by a decision of the MoJ; and
• health issues, genetic identity, and sex life determined by the MoPH.

Licenses must be issued within two months of the date of submission of the application, otherwise, it will be deemed implicitly denied upon expiry of the deadline (Article 97 of the Law).

Moreover, Article 98 of the Law provides that the MoET must make available to the public on its website, a list of possible processes that meet the licensing or authorization requirements set out in Articles 95, 96, and 97 of the Law. However, the list has yet to be published on the MoET website. The list must define, for each case of authorized and licensed processing, the following (Article 98 of the Law):

• license of permit granted, the date thereof, and the date of commencement of the processing;
• name and purpose of the processing;
• identity and address of the data processing officer;
• identity and address of the representative of the data processing officer in the event the said officer is residing outside Lebanon;
• personal data categories under processing;
• person or administration exercising the right to access the data;
• third parties, or categories thereof, who are authorized to view the data; ad
• personal data intended for cross-border transfer where appropriate.

Exemptions

Article 94 of the Law exempts from the obligation of declaration and/or the obligation to seek a license for:

• the processing of personal data by public legal entities;
• the processing of personal data by non-profit associations;
• the processing of personal data for the purposes of updating records that aim to inform the public and that can be accessed by any person who has a legitimate interest;
• the processing of the personal data of students by education institutions for the educational or administrative purposes;
• the processing of the personal data of employees or members of enterprises, commercial companies, associations, orders, and liberal professionals within the limit of the purposes of the professional activity;
• the processing of the personal data of customers and clients of enterprises, commercial companies, orders, associations, and liberal professionals within the limit of the purposes of their activity; and
• the processing of personal data of a data subject who has already given explicit consent to the processing of their data.

In addition, the processing of personal data is exempt from the obligation of declaration and/or the obligation to seek a license in case it does not create any danger to private life or individual liberties.

7.2. Data transfers

The Law does not contain any explicit provision on data transfers.

7.3. Data processing records

The Law does not contain any explicit provision on data processing records.

7.4. Data protection impact assessment

The Law does not contain any explicit provision on Data Protection Impact Assessments.

7.5. Data protection officer appointment

The Law does not contain any explicit provision on data protection officer appointment.

7.6. Data breach notification

The Law does not contain any explicit provision on data breach notification.

7.7. Data retention

Article 90 of the Law provides that it is unlawful to retain personal data for a period that exceeds the period mentioned in the declaration made to the MoET or the period mentioned in the decision that authorizes data processing.

7.8. Children's data

The Law does not contain any explicit provision on the processing of children's data.

7.9. Special categories of personal data

Article 91 of the Law prohibits the collection and processing of personal data that reveals, directly or indirectly, the health status, genetic identity, or sexual life of the data subject, subject to the following exceptions:

• the data subject has made such data publicly available or has explicitly agreed to the processing of the same;
• the data collection or processing is necessary to establish a medical diagnosis or to provide medical treatment by a healthcare professional;
• the processing is necessary in the context of judicial proceedings; or
• the controller obtains a special license in accordance with Article 97 of the Law.

In addition, Article 97 of the Law provides for the requirement of a special license delivered by the MoET for the collection and processing of personal data related to:

• foreign and national state security matters determined by a joint decision of the MoND and the MoIM;
• crimes and judicial cases determined by a decision of the MoJ; and
• health issues, genetic identity, and sex life determined by the MoPH.

7.10. Controller and processor contracts

The Law does not contain any explicit provision for the requirement of a contract between a controller and a processor.

8. Data Subject Rights

8.1. Right to be informed

Article 88 of the Law imposes on the data controller an obligation to inform the data subject of the following:

• the identity of the data controller and their representative;
• the purposes of data processing;
• the mandatory or optional nature of the answers to the questions asked;
• the consequences of not answering the questions;
• the identity of the persons who will receive the personal data; and
• the right to access and rectify the collected data.

In addition, where the data is not collected directly from the data subject, the data controller must inform the data subject personally and explicitly of the purposes of the data processing and of their right to object to the data processing. This obligation is displaced in case the data subject was aware of the data processing or the information of the data subject is impossible or requires disproportionate efforts with regard to the utility of the information (Article 89 of the Law).

8.2. Right to access

Article 99 of the Law confers to the data subject the right to request information related to:

• the purposes of processing;
• the categories of processing;
• the sources of processing;
• the subject of processing;
• the nature of processing; and
• the identity of the persons that will receive the personal data or that have access to personal data as well as the purposes of this access.

In addition, Article 103 of the Law restricts the right of the data subject to access personal data that was processed for the purposes of foreign and national security in case it endangers the foreign or national security of the State.

It should be noted that the data controller may refuse to comply with any abusive request made by the data subject or any of their heirs, especially in relation to their frequency (Article 100 of the Law).

8.3. Right to rectification

Article 101 of the Law confers to the data subject or any of their heirs a right to rectify, complete, and update the processed personal data.

In case the processed data was sent to a third party, the data controller must inform the third party of the rectification.

8.4. Right to erasure

Article 101 of the Law confers to the data subject or any of their heirs a right to the erasure of the processed personal data.

In case the processed data was sent to a third party, the data controller must inform the third party of the erasure.

8.5. Right to object/opt-out

Article 86 of the Law provides that the data subject has the right to object to the processing of their personal data.

Article 92 of the Law grants the data subject the right to object to the collection and processing of their personal data, including the collection and processing of personal data for marketing purposes. However, the data subject is prevented from objecting to the collection and processing of their personal data in case the data controller is under a legal obligation to collect such data or the data subject has given their explicit consent to the processing of their personal data.

8.6. Right to data portability

The Law does not contain a specific provision on data portability.

8.7. Right not to be subject to automated decision-making

The Law does not contain a specific provision on the right not to be subject to automated decision-making. However, it is possible to infer such a right from the right to object described in the section on the right to object/opt-out above.

8.8. Other rights

Article 102 of the Law confers to the data subject the right to seek legal recourse before local courts, and especially the urgent matters judge, in order to guarantee their right to access and rectify the processed data, as well as to ensure the application of the provisions of the Law.

9. Penalties

Article 106 of the Law provides for a penalty of a fine of LBP 1 million (approx. $70) to LBP 3 million (approx. $200) and/or imprisonment of three months to three years for the following infractions:

• the processing of personal data without a declaration or a license;
• the processing of personal data in violation of the provisions of Chapter 2 of Part 5 of the Law; and/or
• the intentional or unintentional disclosure of processed personal data to unauthorized third parties.

Article 107 of the Law provides for a penalty by means of a fine of LBP 1 million (approx. $70) to LBP 5 million (approx. $330) for any data controller that refuses to comply with a request made by the data subject to access or rectify the processed personal data within a period of 10 days or that has complied inadequately to such a request.

Article 108 of the Law provides that the sanctions described in Articles 106 and 107 are aggravated in case of recidivism.

9.1 Enforcement decisions

There are no current decisions related to the enforcement of the provisions under the Law.