Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now

Data Protection & Privacy Laws Around the World

background-image

Data is the new economic driver as it brings more value and innovations. The same data can also open companies up to risks if left undiscovered, unmonitored, and unprotected. To ensure organizations are handling and processing users’ data in a transparent manner, regional privacy regulations have been established globally.

So far 120 countries around the globe have established privacy and security regulations that protect residents’ data privacy and security. In fact, more local laws have been passed and are soon going into effect, enforcing obligations from data controllers and processors to protect consumers’ right to privacy.

The List of Top Data Privacy Laws Around the World:

Experts at Securiti have compiled a list of all privacy laws that are in legislation or going into effect soon. The list includes:

Loading data

United States

Some states of the U.S (California, Colorado and Virginia) have enacted comprehensive consumer data privacy laws. These includes:

China

The Peoples’ Republic of China (PRC) has passed 3 major laws relating to the collection, processing, retention, and transfer of data. These includes:

Thailand

The Personal Data Protection Act, B.E. 2562 (2019) ('PDPA') is Thailand's first consolidated data protection law, which was published in the Thai Government Gazette on 27 May 2019. Learn more about Thailand’s PDPA

Switzerland

The Swiss Parliament passed the revised Federal Data Protection Act (FADP) which is expected to enter into force on September 1, 2023.

Australia

The Privacy Act 1988 (Privacy Act) is the principal piece of Australian legislation protecting the handling of personal information about individuals. Learn more about Australian Privacy Act 1988

Bahrain

The PDPL is the main data protection regulation in Bahrain that came into force on August 1st 2019, and supersedes any law with contradictory provisions. Learn more about Bahrain’s PDPL

Brazil

Brazil has a very comprehensive data protection law named LGPD that allows people to have more rights over their data and expects businesses to comply with it. Learn more about Brasil’s Lei Geral de Proteção de Dados (LGPD)

Canada

Canada’s primary federal privacy law (PIPEDA) legislation applies to organizations that collect, use or disclose personal information in the course of commercial activities. Learn more about Canadian PIPEDA.

Hong Kong

The Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012 (the “PDPO) is the primary legislation in Hong Kong which was enacted to protect the privacy of individuals. Learn more about Hong Kong Personal Data (Privacy) Ordinance (PDPO)

Ireland

The Irish Data Protection Act, 2018 (Irish DPA) implements the General Data Protection Regulation (GDPR) and transposes the European Union Law Enforcement Directive in Ireland. Learn more about Irish DPA and GDPR.

Japan

Japan’s APPI regulation outlines how organizations serving goods and services to users and customers in Japan deal with the data subjects’ personal information. Learn more about Japan’s APPI

New Zealand

New Zealand has a Privacy Act (NZPA) 2020 that is the revised version of its older Privacy Act of 1993. Learn more about New Zealand’s NZPA

Philippines

The Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act') was the first comprehensive law covering data privacy in the Philippines. Learn more about Philippines' DPA

Qatar

Qatar is the first member of the Gulf Cooperation Council (GCC) that has established data protection regulations. Learn more about Qatar’s Data Privacy Law

South Korea

South Korea has a data protection law that provides very prescriptive specific requirements throughout the lifecycle of the handling of personal data. South Korea’s PIPA

Saudi Arabia

In Saudi Arabia, there is currently no specific data protection legislation in place. Personal data and privacy are somewhat protected in other sectoral laws. Learn more about:

Singapore

In Singapore, PDPA is the principal data protection legislation governing the collection, use, and disclosure of individuals' personal data by organisations. Learn More about Singapore’s PDPA

South Africa

South Africa has a data protection law named POPIA. The main purpose of this law is to protect individuals’ personal information. Learn more about South Africa’s POPIA

Turkey

Turkey published “Law on the Protection of Personal Data No. 6698 (LPPD) covering personal data protection on April 07, 2016.” Learn more about Turkey’s LPPD

United Arab Emirates

UAE doesn’t have a comprehensive data protection law at its federal level, however, there are a number of laws in place that govern privacy and security law in the UAE.

Austria

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Belgium

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Bulgaria

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Croatia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Cyprus

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Czech Republic

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Denmark

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Estonia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Finland

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

France

Like all other EU nations, France has its own interpretation of the GDPR to facilitate the law's implementation as per French needs. Learn more about France Data Protection Law here.

Germany

German Federal Data Protection Act mirrors the GDPR in all key areas while giving local German regulatory authorities the power to enforce it more efficiently on the national level. Learn more about Germany Federal Data Protection Act here.

Hungary

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Italy

The Italian Data Protection Authority (DPA), referred to as the Guarantor for the Protection of Personal Data (GPDP), or the Privacy Guarantor, is an independent regulatory authority headquartered in Rome. Learn more about Italy Data Protection Law here.

Latvia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Lithuania

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Luxembourg

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Malta

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Netherlands

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Poland

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Portugal

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Romania

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Slovakia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Slovenia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Spain

Spain was one of the first countries globally to take active legislative measures to protect the privacy of its citizens' personal information and data. Learn more about Spain Data Protection Law here.

Sweden

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Zimbabwe

The Cybersecurity and Data Protection Bill has been in the process of being legislated for Zimbabwe since 2020. Learn more

Rwanda

The European privacy regime consists of multiple guidelines (GDPR, ePD, and EDPB) and decisions on enforcement in the EU. Learn more about Rwanda Data Protection Law

Indonesia

The data protection laws come; to defend users’ personal information and exercise their rights to know what happens to the data gathered by companies. Learn more

Ghana

This applies to any company or organization that processes Ghana's residents' personal data, across the region and beyond. Learn more

Kenya

The DPA seeks to protect the personal data of individuals by obligating data controllers and processors, as well as regulating the processing of that data. Learn more

Uganda

Uganda’s Data Protection and Privacy Act 2019 seeks to protect Uganda’s citizens by outlining rules for processing their personal data. Learn more

Malaysia

The PDPA sets out a complete framework to protect the personal data of individuals with respect to commercial transactions. Learn more about Malaysia PDPA

Argentina

Argentina’s Personal Data Protection Law (PDPL) has been in force since 2000 and applies to persons or legal entities carrying out the treatment or processing of personal data. Learn more about Argentina's PDPL

Chile

Chile’s Law 19,628/1999 ‘Protection of Private Life', commonly referred to as Personal Data Protection Law (PDPL) applies to public and private organizations responsible for decisions related to the processing of personal data. Learn more about Chile's Law

Colombia

In Colombia, the general legal framework for managing personal data is Law 1581 of 2012. Learn more about Colombia's Statutory Law

Ecuador

Ecuador’s Ley Orgánica de Protección de Datos Personales (LOPD) in Spanish or Organic Law on Personal Data Protection in English, applies to organizations or entities that are domiciled in Ecuador. Learn more here

Peru

Peru’s Personal Data Protection along with its associated regulation, the Supreme Decree N° 003-2013-JUS-Regulation of the PDLP is the primary data protection legislation in Peru. Learn more about Peru's PDP

Uruguay

Uruguay’s Ley de Protección de Datos Personales y Acción de Habeas Data in Spanish or Law on Protection of Personal Data and Action of Habeas Data in English along with its regulatory Decree No. 414/009, dated August 31, 2009. Learn more here

Paraguay

Paraguay’s current data protection law is Law No. 6534/2020 “For the protection of personal credit data” (“Personal Credit Data Protection Law”) which has replaced the earlier Law No. 1682/2001 “which regulates the use of private information”. Learn more about Paraguay's Law now

Egypt

Egypt’s Data Protection Law (DPL) is largely modeled on the GDPR. It applies to both data controllers and processors that process personal data belonging to Egyptian residents. Learn more about Egypt's DPL

Israel

Israel's Protection of Privacy Law of 1981 is one of the oldest privacy laws still in effect today. Learn more about Israel's Protection of Privacy Law now

Andorra

The Andorra personal data protection act came into force on May 17, 2022 by the Andorra Data Protection Authority (ADPA). Learn more about Andorra PDPA

United Kingdom

The UK Data Protection Act (DPA) 2018 is the amended version of the Data Protection Act that was passed in 1998. The DPA 2018 implements the GDPR with several additions and restrictions. Learn more about UK DPA


Flag of United StatesUnited States

California Privacy Rights Act (CPRA)

Effective Date: January 1, 2023
Region: NA (North America)

The California Privacy Rights Act (CPRA) was passed in the November 2020 ballot by 56% of California voters. Amending the recently passed California Consumer Protection Act (CCPA) 2018, the CPRA imposes even more stringent privacy protection obligations on organizations and greatly increases rights of consumers. The law applies to businesses and entities located in California or anywhere serving products or services to a California resident which meet one of the following criteria: they have a gross annual revenue of over $25 million in the preceding calendar year, or buy, receive, or sell the personal information of 100,000 or more California residents, households, or devices, or derive 50% or more of their annual revenue from selling or sharing California residents' personal information. The CPRA will take effect on January 1, 2023, and enforcement will begin six months later, on July 1, 2023.

Resources:

California Consumer Privacy Act (CCPA)

Effective Date: Since January 1, 2020
Region: NA (North America)

The California Consumer Privacy Act (CCPA) governs companies and individuals that collect and process consumers’ personal information. The law mandates companies to ensure the secure management of data and gives consumers the right to access and control how their personal information is collected, used, or shared. The regulation doesn’t require companies to have physical presence in California and applies to all for profit entities providing their goods and services to California residents which meet a threshold criteria.

Resources:

Virginia’s Consumer Data Protection Act (VCDPA)

Effective Date: January 1, 2023
Region: NA (North America)

Virginia became the second state in the United States, after California, to pass a comprehensive data privacy law called Virginia Consumer Data Protection Act (VCDPA). The law provides comprehensive data privacy rights to state residents of Virginia and imposes new obligations and duties on businesses managing consumers’ personal data. The law is structurally very similar to the CPRA even if it’s content diverges. It is slated to go into effect on January 1, 2023. The regulations apply to persons or entities conducting businesses in the commonwealth or offering products or services to Virginia residents which meet a threshold criteria.

Resources:

Colorado’s Privacy Act (CPA)

Effective Date: July 1, 2023
Region: NA (North America)

Soon after Virginia, Colorado became the third state in the United States to have passed a comprehensive data privacy law named Colorado Privacy Act (the “CPA”). The CPA applies to companies that conduct business in Colorado or sell products or services intentionally targeted to residents of Colorado which meet a threshold criteria. The Colorado law is very similar to the VCDPA with a very few but significant differences. The law will go into effect on July 1, 2023.

Resources:

Utah Consumer Privacy Act (UCPA)

Effective Date: December 31, 2023
Region: NA (North America)

Utah Governor Spencer Cox signed the Utah Consumer Privacy Act (UCPA) on March 24, 2022, making Utah the fourth state after California, Virginia, and Colorado to implement comprehensive privacy legislation. The UCPA will come into effect starting December 31, 2023, and applies to data controllers and processors. Compared to its predecessors, the UCPA takes a lighter, more business-friendly approach to consumer privacy.

Flag of ChinaChina

China’s Personal Information Protection Law (PIPL)

Effective Date: November 1, 2021
Region: APAC (Asia-Pacific)

On 20 August 2021, China enacted its main data protection regulation, the Personal Information Protection Law (PIPL) came into effect on November 1, 2021. PIPL applies to organizations that are providing services within China, processing and analyzing personal information of Chinese citizens from within or outside the country. It imposes several stricter obligations on data controllers & processors and also provides extensive rights to individuals.

Resources:

China’s Data Security Law (DSL)

Effective Date: Since September 1, 2021
Region: APAC (Asia-Pacific)

The DSL applies to and regulates data processing activities by organizations and individuals, and security supervision of such activities within the territory of China. The DSL also regulates data processing activities conducted outside of China that harm China’s national security or the public interest, or the legal interests of citizens and organizations in China.It imposes a number of obligations on organizations and individuals even those that are not based in China regarding data categorization and classification, data risk controls and risk assessments, cross-border data transfers, and data export controls.

Resources:

China’s Cybersecurity Law (CSL)

Effective Date: Since June 1, 2017
Region: APAC (Asia-Pacific)

China Cybersecurity Law (the “CSL'') applies to the operation, maintenance, and use of information networks to protect the legal interests and rights of organizations as well as individuals in China. It also promotes the secure development of technology and the digitization of the economy in China. The CSL imposes several important cybersecurity obligations on network operators.

Resources:

Flag of ThailandThailand

Thailand’s Personal Data Protection Act (PDPA)

Effective Date: June 1, 2022
Region: APAC (Asia-Pacific)

Thailand's first consolidated Personal Data Protection Law (PDPA) aims to guarantee the protection of individuals' personal data and impose obligations on businesses that deal with the collection, usage, and disclosure of personal data. PDPA applies to any organization located inside Thailand and organizations with consumers in Thailand that deal with the personal data of Thai residents.

Resources:

Flag of SwitzerlandSwitzerland

Swiss Revised Federal Act on Data Protection (FADP)

Effective Date: 2023
Region: EMEA (Europe, the Middle East, and Africa)

The revised Swiss Federal Act on Data Protection 2020 (FADP) will replace Switzerland’s long-existing Federal Act on Data Protection of 1992. The revised law expands the definition of sensitive personal data by including genetic and biometric data. Organizations will have enhanced information obligations and will be required to conduct data protection impact assessments for high-risk data processing activities. The Revised Swiss FADP is expected to come into effect in 2023.

Resources:

Flag of AustraliaAustralia

Australian Privacy Act 1988

Effective Date: Since 1988
Region: APAC (Asia-Pacific)

It has been over 20 years since the Privacy Act 1988 was enforced in Australia. The Privacy Act was enacted to protect the privacy of data subjects and regulate how Australian agencies and organizations with an annual turnover of more than $3 million handle their customers’ personal information. The Australia Privacy Act also includes 13 Australian Privacy Principles (APPs), which apply to private sector organizations, as well as most Australian Government agencies.

Resources:

Flag of BahrainBahrain

Bahrain’s Personal Data Protection Law (PDPL)

Effective Date: Since August 1, 2019
Region: EMEA (Europe, the Middle East and Africa)

The PDPL applies to every individual normally living or working in Bahrain (not just citizens of Bahrain), every business with a place of business in Bahrain, and individuals and businesses outside Bahrain who collect the personal data of individuals in Bahrain using means available in Bahrain.The PDPL recognizes the rights of individuals to have more control over their personal data and the needs of organizations to collect, use, or disclose personal data for legitimate purposes.

Resources:

Flag of BrazilBrazil

Brasil’s Lei Geral de Proteção de Dados (LGPD)

Effective Date: Since September 18, 2020
Region: LATAM (Latin America)

Lei Geral de Proteção de Dados (LGPD) is a comprehensive data protection law in Brazil that takes its inspiration from the EU’s GDPR. The data protection law applies to all data subjects located in Brazil and who are served different products or services from companies operating inside or outside Brazil and to public authorities in Brazil. The law establishes ten legal bases for the lawful processing and handling of data, as well as accountability requirements, mandatory breach notifications and DSRs - imposing heavy penalties upon violation.

Resources:

Flag of CanadaCanada

Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

Effective Date: Since January 1, 2004
Region: NA (North America)

PIPEDA is a federal law that governs the data collection, processing, and protection by federal works, undertakings or businesses operating within Canada. . The data privacy and protection regulations were enacted to assure the global community of the data protection practices and compliance of the Canadian private sector. The regulations apply to for-profit federally regulated organizations offering commercial services in Canada such as banks, radio and television studios, airports and airlines, inter-provincial trucking, telecommunication companies, railways etc.

Resources:

Flag of Hong KongHong Kong

Hong Kong Personal Data (Privacy) Ordinance (PDPO)

Effective Date: Since 1995
Region: APAC (Asia-Pacific)

The PDPO is the primary legislation in Hong Kong which was enacted to protect the privacy of individuals’ personal data, and regulate the collection, holding, processing, disclosure, or use of personal data by the organizations. The PDPO applies to private and public sector organizations that process, use, hold, or collect personal data. It covers any organization that deals with the collection and processing of personal data irrespective of the location of processing provided that the personal data is controlled by the data user based in Hong Kong.

Resources:

Flag of IrelandIreland

Irish Data Protection Act (Irish DPA)

Effective Date: May 24, 2018
Region: EMEA (Europe, the Middle East and Africa)

The Irish DPA implements the GDPR into the national law by incorporating most of the provisions of the GDPR with limited additions and deletions. It contains several provisions restricting data subjects’ rights that they generally have under the GDPR, for example, where restrictions are necessary for the enforcement of civil law claims.

Resources:

Flag of JapanJapan

Japan's Act on the Protection of Personal Information (APPI)

Effective Date (Amended APPI): April 01, 2022
Region: APAC (Asia-Pacific)

Japan’s APPI regulates personal related information and applies to any Personal Information Controller (the “PIC''), that is a person or entity providing personal related information for use in business in Japan. The APPI also applies to the foreign PICs which handle personal information of data subjects (“principals”) in Japan for the purpose of supplying goods or services to those persons.The act ensures the individual’s rights to privacy and also the legal use of personal data for economic development.

Resources:

Flag of New ZealandNew Zealand

New Zealand’s Privacy Act

Effective Date: December 1, 2020
Region: APAC (Asia-Pacific)

New Zealand’s Privacy Act (NZPA) 2020 is the revised version of its older Privacy Act 1993. It applies to not only New Zealand entities but also to overseas entities in the course of carrying on business in New Zealand, irrespective of their size, geographical location and whether or not they are registered in New Zealand. The NZPA introduces mandatory breach notification requirements including the obligation to notify even those privacy breaches that are caused by any outsourced third-party, in addition to other data protection obligations.

Resources:

Flag of PhilippinesPhilippines

Philippines' Data Privacy Act 2012 (DPA)

Effective Date: Since 2012
Region: APAC (Asia-Pacific)

The Philippines Data Privacy Act of 2012 sets the ground rules for organizations dealing with the personal information of Filipinos. The DPA is applicable to ‘the processing of all types of personal information and to any natural and juridical person involved in personal information processing’. It covers the processing of personal information in both public and private sectors. The DPA provides data subjects the right to control the handling of their data and file complaints against the Personal Information Controller (PIC) for illegal access to or processing of their data.

Resources:

Flag of QatarQatar

Qatar’s Data Protection Law

Effective Date: Since 2016
Region: EMEA (Europe, the Middle East and Africa)

Qatar is the first member of the Gulf Cooperation Council (GCC) that has established data protection regulations that regulate the policies in regards to how organizations treat personal information of data subjects within Qatar. The law was introduced in 2016 but a new set of regulations were later issued on January 31, 2021, to further strengthen data protection policies and guidelines.

Resources:

Flag of South KoreaSouth Korea

South Korea's Personal Information Protection Act 2012 (PIPA)

Effective Date: Since 2012
Region: APAC (Asia-Pacific)

South Korea’s privacy protection law, PIPA, governs the collection and processing of personal information of data subjects in its strictest sense. The law requires strict opt-in consent compliance, timely breach notifications, and timely fulfillment of data subject requests. In case of any violations local and foreign South Korean companies may face heavy fines and penalties. PIPA doesn’t explicitly hint at its territorial scope, but the law is mostly applicable to entities within South Korea.

Resources:

Flag of Saudi ArabiaSaudi Arabia

Saudi Arabia’s Personal Data Protection Law (PDPL)

Effective Date: March 23, 2023
Region: EMEA (Europe, the Middle East and Africa)

Saudi Arabia has enacted a data privacy law to protect the personal data of individuals in Saudi Arabia. This law was approved by the Council of Ministers in Saudi Arabia and is named the Personal Data Protection Law (the “PDPL”). The PDPL aims to protect the privacy of individuals’ personal data, and regulate the collection, holding, processing, disclosure, or use of personal data by the organizations. The law is applicable to entities within or outside Saudi Arabia processing personal information of Saudi Arabia residents.

Resources:

Saudi Arabian E-Commerce Law (ECL)

Effective Date: Since October 2019
Region: EMEA (Europe, the Middle East and Africa)

On January 31, 2020, the government of Saudi Arabia issued the Executive Regulations to the Saudi E-Commerce Law 2019 (“ECL”) that was in effect since October 2019. The Executive Regulations together with the ECL aim to protect consumers’ personal data by requiring organizations to take appropriate technical and administrative measures. The regulations are applicable to entities conducting businesses within or outside Saudi Arabia, offering services to Saudi Arabia residents.

Resources:

Flag of SingaporeSingapore

Singapore’s Personal Data Protection Act (PDPA)

Effective Date: Since November 2012
Region: APAC (Asia-Pacific)

Singapore enacted the Personal Data Protection Act (the "PDPA") in 2012, which came into force in different phases; the provisions concerning data protection were enforced on 2nd July 2014. PDPA recognizes the rights of individuals to have more control over their personal data and the needs of organizations to collect, use, or disclose personal data for legitimate and reasonable purposes. The PDPA covers personal data stored in electronic and non-electronic forms. Anonymised' data (where the data can no longer be used to identify the data subject) does not come under the scope of the PDPA.

Resources:

Flag of South AfricaSouth Africa

South Africa’s Protection of Personal Information Act (POPIA)

Effective Date: Since July 1, 2021
Region: EMEA (Europe, the Middle East and Africa)

POPIA is established to empower data subjects to have better control over the free flow of their personal information. It applies to public and private bodies that are domiciled in South Africa and not domiciled in South Africa if they process personal information in South Africa, unless such processing is only used to forward the information through the country. POPIA sets out eight conditions that organizations must comply with while processing personal data. These conditions are accountability, processing limitation, purpose specification, further processing limitation, information quality, openness, data security & breach notification and data subject participation. Violators may be fined up to ZAR10 million or get sentenced to up to 10 years in jail for certain non-compliance actions.

Resources:

Flag of TurkeyTurkey

Turkey’s Law on the Protection of Personal Data (LPPD)

Effective Date: Since April 7, 2016
Region: EMEA (Europe, the Middle East and Africa)

Turkey was one of the first countries to start the trend of legislating data protection. Turkey published “Law on the Protection of Personal Data No. 6698 (LPPD) covering personal data protection on April 07, 2016.” The LPPD is based on the European Union Data Protection Directive 95/46/EC and has several similarities with the GDPR. It aims to give data subjects’ control over their personal data and outlines obligations that organizations and individuals dealing with personal data must comply with.The LPPD applies to Turkey's entities and any foreign natural or legal entity collecting or processing Turkish originated data or Turkish data subjects' personal information regardless of their physical location.

Resources:

Flag of United Arab EmiratesUnited Arab Emirates

UAE’s TRA’s Consumer Protection Regulations (CPR)

Effective Date: 31 December 2021
Region
: EMEA (Europe, the Middle East and Africa)

The Telecommunications Regulatory Authority (TRA) of UAE established Consumer Protection Regulations (CPR) mandating all licensed companies in the UAE to strictly protect the PI of consumers. The laws require licensed companies to take measures against PI data leakage, unauthorized access, privacy risks, inappropriate use of PI, etc.

UAE’s CBUAE SVF Regulation

Region:15 November 2020
Region
: EMEA (Europe, the Middle East and Africa)

The Central Bank of UAE (CBUAE) established Stored Value Facilities (SVF) Regulations. Apart from fostering digital payment systems in the region, the regulations also mandate licensed companies to protect the personal information of their customers and protect their systems and data with strict security measures against unauthorized access, inappropriate, misuse, and any tempering.

DIFC’s Data Protection Law 2020

Effective Date: July 1, 2020

Region: EMEA (Europe, the Middle East and Africa)

The Dubai International Financial Center (DIFC) Data Protection Law 2020 supersedes the Data Protection Law 2007. The DIFC Data Protection Law lays down obligations for organizations regarding the collection, disclosure and processing of personal data in the DIFC, a special economic zone in Dubai. The DIFC Data Protection Law takes reference from the best practice standards on data protections from international laws, and is consistent with EU regulations (GDPR) and OECD guidelines. It is designed to balance the legitimate needs of businesses and organizations to process personal information while upholding an individual’s right to privacy.

Resources:

Flag of FranceFrance

France Data Protection Act

Effective Date: Since May 29, 2018
Region: EMEA (Europe, the Middle East and Africa)

As a member of the European Union (EU), France is subject to the General Data Protection Regulation (GDPR). However, like all other EU nations, the country has implemented the GDPR via the Act on Information Technology, Data Files and Civil Liberties (Data Protection Act).The Act recognizes that information technology serves the needs of every citizen and must not violate human identity, human rights, privacy or civil liberties.

Resources:

Flag of GermanyGermany

Germany Federal Data Protection Act (BDSG)

Effective Date: Since May 29, 2018
Region: EMEA (Europe, the Middle East and Africa)

As a member of the European Union (EU), Germany is subject to the General Data Protection Regulation (GDPR). However, like all other EU nations, the country has implemented the GDPR via its domestic law, the German Federal Data Protection Act (BDSG). s. The BDSG provides the same rights to data subjects as that provided under the GDPR with several limitations under certain circumstances. It also contains specific provisions for the processing of employee’s personal data.

Resources:

Flag of ItalyItaly

Italian Data Protection Law

Effective Date: Since May 29, 2018
Region: EMEA (Europe, the Middle East and Africa)

Italy is a member state of the European Union where the GDPR is fully effective. Italy implemented the GDPR on 19 December 2018 by revising its Personal Data Protection Code as certain sections directly conflicted with the GDPR. In short, the old legislation has been updated to meet the requirements of the GDPR.

Resources:

Flag of SpainSpain

Spain’s Data Protection Organic Law

Effective Date: Since May 29, 2018
Region: EMEA (Europe, the Middle East and Africa)

Spain was one of the first countries globally to take active legislative measures to protect the rights of its citizens in relation to their personal data. The Spanish Data Protection and Digital Rights Organic Law 3/2018 implements the GDPR in Spain. It provides data subjects the right to data portability for social media data, right to be de-listed from internet searches and social media, the right to digital security and the right to universal access to the internet in addition to the rights granted under the GDPR. The Spanish law also places considerable emphasis on transparency and requires data controllers to provide granular and layered information to data subjects in their privacy notices.

Resources:

Flag of ZimbabweZimbabwe

Zimbabwe Data Protection Act

Effective Date: Since December 3, 2021
Region: EMEA (Europe, the Middle East and Africa)

Zimbabwe formally enacted the Data Protection Act in December 2021. The DPA focuses on data privacy as well as cybersecurity and prevention of cybercrime. It applies to any organization established within or outside Zimbabwe if the means used to process data were located in Zimbabwe and the processing of data was not done for transit of data purposes.

Resources:

Flag of RwandaRwanda

Rwanda Data Protection Law

Effective Date: Since Oct 15, 2021
Region: EMEA (Europe, the Middle East and Africa)

Rwanda’s Data Privacy Law comes into enactment after a comprehensive consultation process in October 2021. It applies to data controllers, processors, or third parties that are established or ordinarily residing in Rwanda (not just citizens) and processing personal data while in Rwanda. It also applies to those that are not established or resided in Rwanda but process personal data of data subjects located in Rwanda. Organizations that are subject to the law are required to register with the National Cyber Security Authority, the regulatory authority established as per the law.

Resources:

Flag of IndonesiaIndonesia

Indonesia’s Draft Data Protection Law

Effective Date: -:

Region: APAC (Asia-Pacific)

The need for data protection stems from the concern of personal data being collected, stored, or shared without the knowledge and consent of the individual(s). As of this writing, there is no comprehensive data protection law in Indonesia. However, as a general rule of thumb, Indonesia protects the data of its citizens in the Constitution of the Republic of Indonesia 1945. On January 24, 2020, the PDPB final draft was submitted to the Indonesian House of Representatives. The PDP law will address the much-needed reforms to the country’s data privacy protection rules.

Resources:

Flag of GhanaGhana

Ghana Data Protection Law

Effective Date: Since Oct, 2012
Region: EMEA (Europe, the Middle East and Africa)

Ghana Data Protection Act 2012 establishes a comprehensive set of provisions governing the collection, processing, use, and protection of personal data by the data controller or data processor. Ghana’s DPA 2012 applies to organizations that process Ghana’s residents’ personal data across the region and beyond.

Resources:

Flag of KenyaKenya

Kenya Data Protection Act

Effective Date: Since Nov, 2019
Region: EMEA (Europe, the Middle East and Africa)

Kenya’s Data Protection Act, 2019 (DPA) is based on the framework of the EU’s General Data Protection Regulation (GDPR), making it the third region in East Africa to have enacted and enforced data protection regulations. The DPA seeks to protect the personal data of individuals by obligating data controllers and data processors and regulating the processing of personal data. The DPA protects the personal data of individuals residing in Kenya.

Resources:

Flag of UgandaUganda

Uganda Data Protection Act

Effective Date: Since 1st Mar, 2019
Region: EMEA (Europe, the Middle East and Africa)

Uganda’s Data Protection and Privacy Act 2019 seeks to protect Uganda’s citizens and their personal data by outlining and implementing rules for processing personal data and sensitive personal data by entities within or outside the country. Uganda’s data protection law further bestows rights upon individuals, allowing them to control how their data is collected and processed. The Data Protection and Privacy Act 2019 applies to both public and private entities.

Resources:

Flag of MalaysiaMalaysia

Malaysia Personal Data Protection Act (PDPA)

Effective Date: Since 15 Nov, 2013
Region: APAC (Asia-Pacific)

Malaysia’s Personal Data Protection Act (PDPA) was passed by the Parliament of Malaysia on 2 June 2010. The PDPA sets out a complete cross-sectoral framework to protect the personal data of individuals with respect to commercial transactions. The PDPA applies to any person or data user (organization) who processes or has control over a data subject’s personal data. The PDPA aims to protect any misuse of individuals’ personal data by organizations.

Resources:

Flag of ArgentinaArgentina

Argentina – Personal Data Protection Law (Act 25.326)

Effective Date: 2000
Region: LATAM (Latin America)

Argentina’s Personal Data Protection Law (PDPL) has been in force since 2000 and applies to persons or legal entities carrying out the treatment or processing of personal data. The law, along with the Decree No. 1160/10 (for implementation of the law) , establishes general data protection and habeas data standards. Penalties under the PDPL range from ARS 1,000 to ARS 5 million and imprisonment of a minimum of 6 months to a maximum of 2 years. A new bill ‘Bill No. MEN-2018-147-APN-PTE’ more closely aligned to the EU GDPRis submitted to the Argentina Senate for approval and is intended to replace the PDPL.

Flag of ChileChile

Chile – Protection of Private Life (Law No. 19.628 of 1999)

Effective Date: 1999
Region: LATAM (Latin America)

Chile’s Law 19,628/1999 ‘Protection of Private Life', commonly referred to as Personal Data Protection Law (PDPL) applies to public and private organizations responsible for decisions related to the processing of personal data. There is no data protection authority which means penalties for non-compliance (which may amount to $3500) must be granted by a court in a private claim. However, since the entry into force of a Pro-Consumer Law, consumers can lodge complaints alleging the violation of the data protection law to the consumer protection agency, SERNAC. SERNAC cannot impose fines, but may initiate and participate in judicial proceedings and collective voluntary proceedings.

Flag of ColombiaColombia

Colombia – Statutory Law 1581 of 2012

Effective Date: October 17, 2012
Region: LATAM (Latin America)

In Colombia, the general legal framework for managing personal data is Law 1581 of 2012. The law regulates all individuals, private and public companies, and governmental entities which collect the personal data of persons domiciled in Colombia or process any individual’s personal data in Colombia. Its main goal is to preserve people's right to know, update, and correct information on them stored in databases or files.

Flag of EcuadorEcuador

Ecuador – Ley Orgánica de Protección de Datos Personales (LOPD)

Effective Date: 26 May 2021
Region: LATAM (Latin America)

Ecuador’s Ley Orgánica de Protección de Datos Personales (LOPD) in Spanish or Organic Law on Personal Data Protection in English, applies to organizations or entities that are domiciled in Ecuador and process personal data there, as well as firms or entities that are not domiciled in Ecuador but process personal data of Ecuador residents by selling them goods or services or regulating their behavior. For minor infractions, sanctions range from 0.3% to 0.7% of an organization's yearly revenue from the preceding year, while for serious infractions, sanctions range from 0.3% to 0.7%.

Flag of PeruPeru

Peru – Law No. 29733 On the Protection of Personal Data

Effective Date: June 7, 2011
Region: LATAM (Latin America)

Peru’s Personal Data Protection along with its associated regulation, the Supreme Decree N° 003-2013-JUS-Regulation of the PDLP is the primary data protection legislation in Peru. Another law, Law Nº 27489 enacted in 2001 (and later amended several times) deals with entities that deal with sensitive personal data and riskier data processing activities such as processing related to financial, commercial, tax, employment or insurance obligations or background of a natural or legal person that allows evaluating his/her economic solvency.

Flag of UruguayUruguay

Uruguay – Ley de Protección de Datos Personales y Acción de Habeas Data (Law No. 18.331)

Effective Date: August 11, 2008
Region: LATAM (Latin America)

Uruguay’s Ley de Protección de Datos Personales y Acción de Habeas Data in Spanish or Law on Protection of Personal Data and Action of Habeas Data in English along with its regulatory Decree No. 414/009, dated August 31, 2009 applies to individuals, government departments, public or private organizations processing personal data whether established in Uruguay or not, but supplying goods and services or analyzing the behavior of individuals in Uruguay or using means of processing located in Uruguay. The law is enforced by the Personal Data Regulatory and Control Unit (Unidad Reguladora y de Control de Datos Personales) (the “URCDP”) a decentralized agency which acts as the data protection authority of Uruguay.

Flag of ParaguayParaguay

Paraguay – Personal Credit Data Protection Law or Credit Data Law

Effective Date: October 28, 2020
Region: LATAM (Latin America)

Paraguay’s current data protection law is Law No. 6534/2020 “For the protection of personal credit data” (“Personal Credit Data Protection Law”) which has replaced the earlier Law No. 1682/2001 “which regulates the use of private information”. Under the new law, it is prohibited to publicize or diffuse sensitive data of people that are explicitly identified or identifiable. The collection, storage and processing of personal information for private use is allowed when it is lawful, exact, complete, true and updated for the specific purpose for which the data was collected.

Flag of EgyptEgypt

Egypt’s Data Protection Law

Effective Date: 14 October 2020
Region: EMEA (Europe, the Middle East and Africa)

Egypt’s Data Protection Law (DPL) is largely modeled on the GDPR. It applies to both data controllers and processors that process personal data belonging to Egyptian residents, whether or not they are based in Egypt. Under the DPL, all data breaches or cyber attacks must be reported to the Personal Data Protection Center as well as impacted data subjects within 72 hours. The processing of personal data is allowed only if there exists a legal basis to do so.

Flag of IsraelIsrael

Israel's Protection of Privacy Law

Effective Date: 1981
Region: EMEA (Europe, the Middle East and Africa)

Israel's Protection of Privacy Law of 1981 is one of the oldest privacy laws still in effect today. It has since been supplemented with the Privacy Protection (Data Security) Regulations that contain guidance on obligations relating to data security and international data transfers. It applies to companies that do business in Israel. Key data processing principles are transparency, lawful basis for processing, purpose limitation, data minimisation, proportionality, and data retention.

Flag of AndorraAndorra

Andorra Personal Data Protection Act

Effective Date: Since May 17, 2022
Region: EMEA (Europe, the Middle East and Africa)

The Andorra personal data protection act came into force on May 17, 2022 by the Andorra Data Protection Authority (ADPA). The law applies to the fully or partially automated and non-automated processing of personal data by individuals or companies located in Andorra. It also applies to individuals or companies outside of Andorra that are using devices for personal data processing located in Andorran territory. The key highlights of the law include provisions regarding the personal data processing of a deceased person, data subject’s consent, appointment of a data protection officer, data subject rights, security breach notifications, and cross-border data transfers.

Flag of United KingdomUnited Kingdom

UK Data Protection Act (DPA)

Effective Date: Since May 25, 2018
Region: EMEA (Europe, the Middle East and Africa)

The UK Data Protection Act (DPA) 2018 is the amended version of the Data Protection Act that was passed in 1998. The DPA 2018 implements the GDPR with several additions and restrictions. The DPA 2018 is divided into three kinds of processing including general data processing, processing by law-enforcement agencies, and processing by intelligence services. The DPA 2018 must be read together with the UK GDPR, which is the GDPR as it was on 31st December 2020 and any applicable case law at that point.

Flag of European UnionEuropean Union

EU’s General Data Protection Regulation (GDPR)

Effective Date: Since May 29, 2018
Region: EMEA (Europe, the Middle East and Africa)

The European Union’s General Data Protection Regulation (GDPR) is considered to be the most comprehensive data protection legal framework that aims to protect personal data of natural persons and grants several rights to them. The regulation applies to companies established in the EU. It also applies to organizations not established in the EU that monitor individuals’ behavior in the EU or offer goods or services to data subjects in the EU. Inspired by the GDPR, countries all around the world have formulated their data protection laws based on the similar framework.

Resources:

To Conclude:

Compliance with the global data privacy laws is obligatory for every business. Failure to comply can result in huge loss such as consumer trust, class-action lawsuits, and hefty fines.

Is your organization ready to comply with the existing as well as upcoming data privacy laws? Watch the demo to see how Securiti is helping organizations with global privacy regulatory compliance.

Compliance with applicable global data privacy laws is obligatory for businesses.
Failure to comply can result in huge loss such as consumer trust, class-action lawsuits, and hefty fines.
Is your organization ready to comply with the existing as well as upcoming data privacy laws?

Watch the demo to see how Securiti is helping organizations with global privacy regulatory compliance.

Watch the demo

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Solutions

Systems

Newsletter

Users love Securiti on G2 G2 leader spring 2022 G2 leader summer 2022 G2 leader easiest business 2022 ISO certification RSAC Leader Forrester Badge IAPP Innovation award 2020 Sinet Innovator Award Gartner Cool Vendor Award