Securiti Named a 2022 Cool Vendor in Data Security by Gartner

Download Now

Data Protection & Privacy Laws Around the World

Data is the new economic driver as it brings more value and innovations. The same data can also open companies up to risks if left undiscovered, unmonitored, and unprotected. To ensure organizations are handling and processing users’ data in a transparent manner, regional privacy regulations have been established globally.

So far 120 countries around the globe have established privacy and security regulations that protect residents’ data privacy and security. In fact, more local laws have been passed and are soon going into effect, enforcing obligations from data controllers and processors to protect consumers’ right to privacy.

The List of Top Data Privacy Laws Around the World:

Experts at Securiti have compiled a list of all privacy laws that are in legislation or going into effect soon. The list includes:

Loading data

United States

Some states of the U.S (California, Colorado and Virginia) have enacted comprehensive consumer data privacy laws. These includes:

China

The Peoples’ Republic of China (PRC) has passed 3 major laws relating to the collection, processing, retention, and transfer of data. These includes:

Thailand

The Personal Data Protection Act, B.E. 2562 (2019) ('PDPA') is Thailand's first consolidated data protection law, which was published in the Thai Government Gazette on 27 May 2019. Learn more about Thailand’s PDPA

Switzerland

The Swiss Parliament passed the revised Federal Data Protection Act (FADP), which should come into force in the second half of 2022. Learn more about Swiss Revised FADP

Australia

The Privacy Act 1988 (Privacy Act) is the principal piece of Australian legislation protecting the handling of personal information about individuals. Learn more about Australian Privacy Act 1988

Bahrain

The PDPL is the main data protection regulation in Bahrain that came into force on August 1st 2019, and supersedes any law with contradictory provisions. Learn more about Bahrain’s PDPL

Brazil

Brazil has a very comprehensive data protection law named LGPD that allows people to have more rights over their data and expects businesses to comply with it. Learn more about Brasil’s Lei Geral de Proteção de Dados (LGPD)

Canada

Canada’s primary federal privacy law (PIPEDA) legislation applies to organizations that collect, use or disclose personal information in the course of commercial activities. Learn more about Canadian PIPEDA.

Hong Kong

The Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012 (the “PDPO) is the primary legislation in Hong Kong which was enacted to protect the privacy of individuals. Learn more about Hong Kong Personal Data (Privacy) Ordinance (PDPO)

India

The new Data Protection Bill 2021 brings much needed legislation on the rights of users to data protection. Understanding this bill could prove vital for companies in and outside the country. Learn more about Indian DPB 2021.

Ireland

The Irish Data Protection Act, 2018 (Irish DPA) implements the General Data Protection Regulation (GDPR) and transposes the European Union Law Enforcement Directive in Ireland. Learn more about Irish DPA and GDPR.

Japan

Japan’s APPI regulation outlines how organizations serving goods and services to users and customers in Japan deal with the data subjects’ personal information. Learn more about Japan’s APPI

New Zealand

New Zealand has a Privacy Act (NZPA) 2020 that is the revised version of its older Privacy Act 1993. Learn more about New Zealand’s NZPA

Philippines

The Data Privacy Act of 2012 (Republic Act No. 10173) ('the Act') was the first comprehensive law covering data privacy in the Philippines. Learn more about Philippines' DPA

Qatar

Qatar is the first member of the Gulf Cooperation Council (GCC) that has established data protection regulations. Learn more about Qatar’s Data Privacy Law

South Korea

South Korea has a data protection law that provides very prescriptive specific requirements throughout the lifecycle of the handling of personal data. South Korea’s PIPA

Saudi Arabia

Saudi Arabia's Personal Data Protection Law (PDPL) protects users' data from being shared, sold, or transferred without proper consent. The PDPL will come into effect in March 2022. Learn more about:

Singapore

In Singapore, PDPA is the principal data protection legislation governing the collection, use, and disclosure of individuals' personal data by organisations. Learn More about Singapore’s PDPA

South Africa

South Africa has a data protection law named POPIA. The main purpose of this law is to protect individuals’ personal information. Learn more about South Africa’s POPIA

Turkey

Turkey published “Law on the Protection of Personal Data No. 6698 (LPPD) covering personal data protection on April 07, 2016.” Learn more about Turkey’s LPPD

United Arab Emirates

UAE has recently passed a comprehensive data protection law at its federal level along with other laws in place that govern privacy and security law in the UAE.

Austria

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Belgium

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Bulgaria

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Croatia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Cyprus

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Czech Republic

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Denmark

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Estonia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Finland

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

France

Like all other EU nations, France has its own interpretation of the GDPR to facilitate the law's implementation as per French needs. Learn more about France Data Protection Law here.

Germany

German Federal Data Protection Act mirrors the GDPR in all key areas while giving local German regulatory authorities the power to enforce it more efficiently on the national level. Learn more about Germany Federal Data Protection Act here.

Hungary

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Italy

The Italian Data Protection Authority (DPA), referred to as the Guarantor for the Protection of Personal Data (GPDP), or the Privacy Guarantor, is an independent regulatory authority headquartered in Rome. Learn more about Italy Data Protection Law here.

Latvia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Lithuania

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Luxembourg

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Malta

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Netherlands

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Poland

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Portugal

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Romania

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Slovakia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Slovenia

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Spain

Spain was one of the first countries globally to take active legislative measures to protect the privacy of its citizens' personal information and data. Learn more about Spain Data Protection Law here.

Sweden

The European privacy regime consists of the multiple guidelines (GDPR, ePD and EDPB) and decisions on enforcement in the EU. Learn more about GDPR

Zimbabwe

The Cybersecurity and Data Protection Bill has been in the process of being legislated for Zimbabwe since 2020. Learn more

Rwanda

The European privacy regime consists of multiple guidelines (GDPR, ePD, and EDPB) and decisions on enforcement in the EU. Learn more about Rwanda Data Protection Law

Indonesia

The data protection laws come; to defend users’ personal information and exercise their rights to know what happens to the data gathered by companies. Learn more

Ghana

This applies to any company or organization that processes Ghana's residents' personal data, across the region and beyond. Learn more

Kenya

The DPA seeks to protect the personal data of individuals by obligating data controllers and processors, as well as regulating the processing of that data. Learn more

Uganda

Uganda’s Data Protection and Privacy Act 2019 seeks to protect Uganda’s citizens by outlining rules for processing their personal data. Learn more

Malaysia

The PDPA sets out a complete framework to protect the personal data of individuals with respect to commercial transactions. Learn more about Malaysia PDPA


Flag of United StatesUnited States

California Privacy Rights Act (CPRA)

Effective Date: January 1, 2023
Region: NA (North America)

The California Privacy Rights Act (CPRA) was passed in the November 2020 ballot by 56% of California voters. Amending the recently passed California Consumer Protection Act (CCPA) 2018, the CPRA imposes even more stringent privacy protection obligations on organizations and greatly increases rights of consumers. The law applies to businesses and entities located in California or anywhere serving products or services to a California resident. The CPRA will take effect on January 1, 2023, and enforcement will begin six months later, on July 1, 2023.

Resources:

California Consumer Privacy Act (CCPA)

Effective Date: Since January 1, 2020
Region: NA (North America)

The California Consumer Privacy Act (CCPA) governs companies and individuals that collect and process consumers’ personal information. The law mandates companies to ensure the secure management of data and gives consumers the right to access and control how their personal information is collected, used, or shared. The regulation doesn’t require companies to have physical presence in California and applies to all entities serving their services to California residents.

Resources:

Virginia’s Consumer Data Protection Act (VCDPA)

Effective Date: January 1, 2023
Region: NA (North America)

Virginia became the second state in the United States, after California, to pass a comprehensive data privacy law called Virginia Consumer Data Protection Act (VCDPA). The law provides comprehensive data privacy rights to state residents of Virginia and imposes new obligations and duties on businesses managing consumers’ personal data. The law is structurally very similar to the CPRA even if it’s content diverges. It is slated to go into effect on January 1, 2023. The regulations apply to persons or entities conducting businesses in the commonwealth or offering products or services to Virginia residents.

Resources:

Colorado’s Privacy Act (CPA)

Effective Date: July 1, 2023
Region: NA (North America)

Soon after Virginia, Colorado became the third state in the United States to have passed a comprehensive data privacy law named Colorado Privacy Act (the “CPA”). The CPA applies to companies that conduct business in Colorado or sell products or services intentionally targeted to residents of Colorado. The Colorado law is very similar to the VCDPA with a very few but significant differences. The law will go into effect on July 1, 2023.

Resources:

Flag of ChinaChina

China’s Personal Information Protection Law (PIPL)

Effective Date: November 1, 2021
Region: APAC (Asia-Pacific)

On 20 August 2021, China enacted its main data protection regulation, the Personal Information Protection Law (PIPL) that will come into effect on November 1, 2021. PIPL applies to organizations that are providing services within China, processing and analyzing personal information of Chinese citizens from within or outside the country. It imposes several stricter obligations on data controllers & processors and also provides extensive rights to individuals.

Resources:

China’s Data Security Law (DSL)

Effective Date: Since September 1, 2021
Region: APAC (Asia-Pacific)

The Data Security Law (DSL) of China governs companies operating in the region to classify and categorize data for optimal protection. The law regulates how organizations should process and handle users’ personal information. Mishandling of any information and violation can result in a criminal offense and fines of up to $1.5 million. Similar to PIPL, DSL applies to companies that are conducting business in China or collecting and processing PI of Chinese citizens from anywhere in the world.

Resources:

China’s Cybersecurity Law (CSL)

Effective Date: Since June 1, 2017
Region: APAC (Asia-Pacific)

China Cybersecurity Law (the “CSL'') went into effect on June 1st, 2017. It applies to the operation, maintenance, and use of information networks to protect the legal interests and rights of organizations as well as individuals in China. It also promotes the secure development of technology and the digitization of the economy in China.

Resources:

Flag of ThailandThailand

Thailand’s Personal Data Protection Act (PDPA)

Effective Date: June 1, 2022
Region: APAC (Asia-Pacific)

Thailand's first consolidated Personal Data Protection Law (PDPA) aims to guarantee the protection of individuals' personal data and impose obligations on businesses that deal with the collection, usage, and disclosure of personal data. PDPA applies to any organization located inside Thailand and organizations with consumers in Thailand that deal with the personal data of Thai residents. PDPA will come into effect on June 1, 2022.

Resources:

Flag of SwitzerlandSwitzerland

Switzerland Federal Act on Data Protection (FADP)

Effective Date: 2022
Region: EMEA (Europe, the Middle East, and Africa)

While Switzerland isn’t a part of the EU nor the EEA, the EU’s GDPR has compelled the Swiss government to bring forward data privacy laws following international standards. On 25 September 2020, the Switzerland government approved the Federal Data Protection Act (FADP), replacing the previous 1992 Act. The new Swiss FADP will take effect in 2022.

Resources:

Flag of AustraliaAustralia

Australian Privacy Act 1988

Effective Date: Since 1988
Region: APAC (Asia-Pacific)

It has been over 20 years since the Privacy Act 1988 was enforced in Australia. It was established to ensure the protection of the privacy of Australian data subjects, obligating the Australian Privacy Principles Entities (APP entities), including both private sector and government agencies to ensure transparent and open processing of personal information, including but not limited to data subjects credit card report, medical report, and tax file number.

Resources:

Flag of BahrainBahrain

Bahrain’s Personal Data Protection Law (PDPL)

Effective Date: Since August 1, 2019
Region: EMEA (Europe, the Middle East and Africa)

PDPL takes after Bahrain’s data protection regulations, Law no. 30, replacing all the other laws in the region. The PDPL regulations enforce businesses and individuals operating within or outside Bahrain collecting personal information of users in Bahrain to ensure the collection and processing of personal data only for legitimate purposes. The regulations further define the personal information privacy rights of data subjects, and possible fines and penalties in the event of a breach of any policies.

Resources:

Flag of BrazilBrazil

Brasil’s Lei Geral de Proteção de Dados (LGPD)

Effective Date: Since September 18, 2020
Region: LATAM (Latin America)

Lei Geral de Proteção de Dados (LGPD) is a comprehensive data protection law in Brazil that takes its inspiration from the EU’s GDPR. The data protection law applies to all data subjects located in Brazil and who are served different products or services from companies operating inside or outside Brazil. The law establishes ten legal bases for the lawful processing and handling of data, imposing heavy penalties upon violation.

Resources:

Flag of CanadaCanada

Canadian Personal Information Protection and Electronic Documents Act (PIPEDA)

Effective Date: Since January 1, 2004
Region: NA (North America)

PIPEDA governs the data collection, processing, and protection by the Canadian private sector under Bill C-6. The data privacy and protection regulations were enacted to assure the global community of the data protection practices and compliance of Canadian private sectors. The regulations apply to for-profit organizations offering commercial services in Canada.

Resources:

Flag of Hong KongHong Kong

Hong Kong Personal Data (Privacy) Ordinance (PDPO)

Effective Date: Since 1995
Region: APAC (Asia-Pacific)

The PDPO regulations passed by the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong govern how organizations and other entities should collect, use, process, or disclose the personal information of data subjects who reside in Hong Kong. The personal data protected under PDPO includes name, medical record, identity card number, etc. The regulations are applicable to local and international companies where the personal data is handled by a data user in Hong Kong.

Resources:

Flag of IndiaIndia

Indian Data Protection Bill (DPB) 2021

Effective Date: Dec 11, 2019
Region: APAC (Asia-Pacific)

Introduced in 2019 as the Personal Data Protection Bill, the Data Protection Bill (DPB) 2021 is now about to become part of the company’s legislature. In addition to personal data, it will also carry provisions on non-personal data, requiring all companies to be more transparent on how they collect users’ data. The Bill also gives users the right to request access, alteration, and deletion of any data collected.

Resources:

Flag of IrelandIreland

Irish Data Protection Act (Irish DPA)

Effective Date: May 24, 2018
Region: EMEA (Europe, the Middle East and Africa)

The Irish DPA implements the GDPR into the national law by incorporating most of the provisions of the GDPR with limited additions and deletions. It contains several provisions restricting data subjects’ rights that they generally have under the GDPR, for example, where restrictions are necessary for the enforcement of civil law claims.

Resources:

Flag of JapanJapan

Japan Act on the Protection of Personal Information (APPI)

Effective Date: 2022
Region: APAC (Asia-Pacific)

Japan’s data protection law, the Act on the Protection of Personal Information (APPI), adopted in 2003, is one of Asia’s first data protection regulations. The APPI has evolved over the years and received a significant overhaul in September 2015. The data protection law was further materially revised in 2020 and is expected to come into effect in 2022.

Resources:

Flag of New ZealandNew Zealand

New Zealand’s Privacy Act 2020 (NZPA)

Effective Date: December 1, 2020
Region: APAC (Asia-Pacific)

New Zealand’s Privacy Act (NZPA) 2020 is the revised version of its older Privacy Act 1993. It applies to not only New Zealand entities but also to overseas entities in the course of carrying on business in New Zealand, irrespective of their size, geographical location, and whether or not they are registered in New Zealand. NZPA introduces mandatory breach notification requirements including the obligation to notify even those privacy breaches that are caused by any outsourced third-party, in addition to other data protection obligations.

Resources:

Flag of PhilippinesPhilippines

Philippines' Data Privacy Act 2012 (DPA)

Effective Date: Since 2012
Region: APAC (Asia-Pacific)

The Philippines Data Privacy Act of 2012 sets the ground rules for organizations dealing with the personal information of Filipinos. The Act gives data subjects the right to control the handling of their data and file complaints against the Personal Information Controller (PIC) for illegal access to or processing of their data. The Act also outlines penalties against any violation. This applies to persons or entities serving users in the Philippines and conducting business from within or outside the Philippines or having links with any third party with presence in the country.

Resources:

Flag of QatarQatar

Qatar’s Data Privacy Law

Effective Date: Since 2016
Region: EMEA (Europe, the Middle East and Africa)

Qatar is the first member of the Gulf Cooperation Council (GCC) that has established data protection regulations that regulate the policies in regards to how organizations treat personal information of data subjects within Qatar. The law was introduced in 2016 but a new set of regulations were later imposed on January 31, 2021, to further strengthen data protection policies.

Resources:

Flag of South KoreaSouth Korea

South Korea Personal Information Protection Act (PIPA)

Effective Date: Since 2012 (Revised in 2020)
Region: APAC (Asia-Pacific)

South Korea has elaborate laws and regulations related to data protection. The country’s Personal Information Protection Act PIPA (revised in 2020) brings forth strict rules, which govern the collection, usage, disclosure, and other processing of personal information by government bodies, private entities, and individuals.

Resources:

Flag of Saudi ArabiaSaudi Arabia

Saudi Arabia’s Personal Data Protection Law (PDPL)

Effective Date: March 23, 2022
Region: EMEA (Europe, the Middle East and Africa)

Saudi Arabia has drafted a data privacy regulation to protect the personal data of individuals in Saudi Arabia. This law was approved by the Council of Ministers in Saudi Arabia and is named the Personal Data Protection Law (the “PDPL”). The PDPL aims to protect the privacy of individuals’ personal data, and regulate the collection, holding, processing, disclosure, or use of personal data by the organizations. The law is applicable to entities within or outside Saudi Arabia processing personal information of Saudi Arabia residents.

Resources:

Saudi Arabian E-Commerce Law (ECL)

Effective Date: Since October 2019
Region: EMEA (Europe, the Middle East and Africa)

The Kingdom of Saudi Arabia (KSA) established the E-commerce Law in the region to promote transparency and protection of consumers’ personal data privacy rights, mandating organizations involved in E-commerce transactions to ensure appropriate security and privacy measures. The regulations are applicable to entities conducting businesses within or outside Saudi Arabia, offering services to Saudi Arabia residents.

Resources:

Flag of SingaporeSingapore

Singapore’s Personal Data Protection Act (PDPA)

Effective Date: Since November 2012
Region: APAC (Asia-Pacific)

The Personal Data Protection Act (PDPA) 2012 of Singapore supplements the sector-specific legislative frameworks, limiting organizations from collecting and processing personal data other than legitimate purposes. The act also mandates organizations that they maintain care while collecting, using, and disclosing personal data. PDPA enjoys an extraterritorial reach, and thus, it applies to companies whether they are working in or outside Singapore.

Resources:

Flag of South AfricaSouth Africa

South Africa’s Protection of Personal Information Act (POPIA)

Effective Date: Since July 1, 2021
Region: EMEA (Europe, the Middle East and Africa)

POPIA is established to empower data subjects to have better control over the free flow of their personal information and file complaints against privacy violations. It applies to public and private bodies that are domiciled in South Africa and not domiciled in South Africa if they process personal information in South Africa, unless such processing is only used to forward the information through the country. Violators may be fined up to ZAR10 million or get sentenced to up to 10 years in jail.

Resources:

Flag of TurkeyTurkey

Turkey’s Law on the Protection of Personal Data (LPPD)

Effective Date: Since April 7, 2016
Region: EMEA (Europe, the Middle East and Africa)

In 2016, Turkey established its first personal data protection rights, limiting organizations and individuals from processing PI of users without explicit consent and any legal basis. Similar to GDPR, data subjects have the right to be informed, to access, rectify, erase, object, opt-out, data portability, or not to be subject to automated decision-making. Violators may be fined up to TRY 1 million or six months to 4 years imprisonment. The regulations apply to data controllers conducting business inside or outside Turkey but serving data subjects residing in Turkey.

Resources:

Flag of United Arab EmiratesUnited Arab Emirates

UAE’s Federal Decree-Law No. (45) of 2021 on Personal Data Protection (PDPL)

Effective Date: January 2, 2022

Region: EMEA (Europe, the Middle East and Africa)

The UAE Cabinet issued its highly anticipated Federal Decree-Law No. 45 of 2021 regarding the Protection of Personal Data (PDPL). The PDPL is one of the first projects of UAE’s legislative reform that came into effect on 2 January 2022. Executive regulations are due to be issued by 20 March 2022. The law applies to the processing of personal data, by wholly or partly automated means, or any other means, by any data controller or data processor within the UAE processing the personal data of UAE’s residents who are within or outside of the UAE. The law also applies to data controllers or data processors who are not established in UAE but process the personal data of residents of UAE.

Resources:

UAE’s TRA’s Consumer Protection Regulations (CPR)

Region: EMEA (Europe, the Middle East and Africa)

The Telecommunications Regulatory Authority (TRA) of UAE established Consumer Protection Regulations (CPR) mandating all licensed companies in the UAE to strictly protect the PI of consumers. The laws require licensed companies to take measures against PI data leakage, unauthorized access, privacy risks, inappropriate use of PI, etc.

UAE’s CBUAE SVF Regulation

Region: EMEA (Europe, the Middle East and Africa)

The Central Bank of UAE (CBUAE) established Stored Value Facilities (SVF) Regulations. Apart from fostering digital payment systems in the region, the regulations also mandate licensed companies to protect the personal information of their customers and protect their systems and data with strict security measures against unauthorized access, inappropriate, misuse, and any tempering.

Resources:

DIFC’s Data Protection Law 2020

Region: EMEA (Europe, the Middle East and Africa)

The Dubai International Financial Center (DIFC) Data Protection Law 2020 supersedes the Data Protection Law 2007, subjecting organizations in the special economic zone in Dubai to product the individuals’ right to privacy. The law runs in parallel with the international privacy regulations, such as the GDPR and CCPA. It is established to help regional regulatory authorities realize DIFC’s sufficient data protection practices so they may allow data transfer to and from the special economic zone.

Resources:

Flag of FranceFrance

France Data Protection Law

Effective Date: Since May 29, 2018
Region: EMEA (Europe, the Middle East, and Africa)

As a member of the European Union (EU), France is subject to the General Data Protection Regulation (GDPR). However, like all other EU nations, the country has its own interpretation of the GDPR to facilitate the law's implementation as per French needs. That is where the Data Protection Act comes in.

Resources:

Flag of GermanyGermany

Germany Federal Data Protection Act

Effective Date: Since May 29, 2018
Region: APAC (Asia-Pacific)

One aspect of GDPR that is open to differences is the age of consent to differentiate between adult and child data subjects. Germany has set the age of consent with regard to data protection at 16 years old. Understanding the law and its basics can help companies remain compliant with the law's provisions while also gaining a competitive advantage over their competitors within Germany.

Resources:

Flag of ItalyItaly

Italy Data Protection Law

Effective Date: Since Dec 19, 2018
Region: EMEA (Europe, the Middle East, and Africa)

Italy is a member country of the European Union where the GDPR is fully effective. Italy implemented the GDPR on 19 December 2018 by revising its Personal Data Protection Code as certain sections directly conflicted with the GDPR. In short, the old legislation has been updated to meet the requirements of the GDPR.

Resources:

Flag of SpainSpain

Spain Data Protection Law

Effective Date: Since May 29, 2018
Region: EMEA (Europe, the Middle East, and Africa)

Spain was one of the first countries globally to take active legislative measures to protect the privacy of its citizens' personal information and data. The Spanish Constitution of 1978 states, "the law shall restrict the use of informatics in order to protect the honor and the personal and family privacy of Spanish citizens, as well as the full exercise of their rights".

Resources:

Flag of ZimbabweZimbabwe

Zimbabwe Data Protection Act

Effective Date: Since December 3, 2021
Region: EMEA (Europe, the Middle East, and Africa)

Zimbabwe has officially been in the process of legislating a concrete data protection bill since 2020. In May 2020, the Bill was formally gazetted with public hearings starting in July 2020. At this point, the Bill was still called the Cybersecurity and Data Protection Bill.

Resources:

Flag of RwandaRwanda

Rwanda Data Protection Law

Effective Date: Since Oct 15, 2021
Region: EMEA (Europe, the Middle East, and Africa)

Rwanda’s Data Privacy Law comes into enactment after a comprehensive consultation process. During the consultation process, multiple additions and revisions were received from private companies in Rwanda. The most feedback and corrections received were from the financial sector, which deals with Rwandese citizens' sensitive personal data.

Resources:

Flag of IndonesiaIndonesia

Indonesia Data Protection Law

Effective Date: Since Oct 15, 2021
Region: APAC (Asia-Pacific)

The need for data protection stems from the concern of personal data being collected, stored, or shared without the knowledge and consent of the individual(s). As of this writing, there is no comprehensive data protection law in Indonesia. However, as a general rule of thumb, Indonesia protects the data of its citizens in the Constitution of the Republic of Indonesia 1945 ('the Constitution'). Article 28G of the Constitution states: 'Each person shall have the right to the protection of their personal selves, families, respect, dignity, and possessions under their control.'

Resources:

Flag of GhanaGhana

Ghana Data Protection Law

Effective Date: Since Oct 2012
Region: EMEA (Europe, the Middle East, and Africa)

Ghana Data Protection Act 2012 establishes a comprehensive set of provisions governing the collection, processing, use, and protection of personal data by the data controller or data processor. Ghana’s DPA 2012 applies to organizations that process Ghana’s residents’ personal data across the region and beyond.

Resources:

Flag of KenyaKenya

Kenya Data Protection Act

Effective Date: Since Nov 2019
Region: EMEA (Europe, the Middle East, and Africa)

Kenya’s Data Protection Act, 2019 (DPA) is based on the framework of the EU’s General Data Protection Regulation (GDPR), making it the third region in East Africa to have enacted and enforced data protection regulations. The DPA seeks to protect the personal data of individuals by obligating data controllers and data processors and regulating the processing of personal data. The DPA protects the personal data of individuals residing in Kenya.

Resources:

Flag of UgandaUganda

Uganda Data Protection Act

Effective Date: Since 1st Mar 2019
Region: EMEA (Europe, the Middle East, and Africa)

Uganda’s Data Protection and Privacy Act 2019 seeks to protect Uganda’s citizens and their personal data by outlining and implementing rules for processing personal data and sensitive personal data by entities within or outside the country. Uganda’s data protection law further bestows rights upon individuals, allowing them to control how their data is collected and processed. The Data Protection and Privacy Act 2019 applies to both public and private entities.

Resources:

Flag of MalaysiaMalaysia

Malaysia Personal Data Protection Act (PDPA)

Effective Date: Since 15 Nov 2013
Region: APAC (Asia-Pacific)

Malaysia’s Personal Data Protection Act (PDPA) was passed by the Parliament of Malaysia on 2 June 2010. The PDPA sets out a complete cross-sectoral framework to protect the personal data of individuals with respect to commercial transactions. The PDPA applies to any person or data user (organization) who processes or has control over a data subject’s personal data. The PDPA aims to avoid any misuse of individuals’ personal data.

Resources:

Flag of European UnionEuropean Union

EU’s General Data Protection Regulation (GDPR)

Effective Date: Since May 29, 2018
Region: European Union

The European Union’s General Data Protection Regulation (GDPR) is considered to be the most comprehensive data protection legal framework that aims to protect personal data of natural persons and grants several rights to them. The regulation applies to companies established in the EU. It also applies to organizations not established in the EU that monitor individuals’ behavior in the EU or offer goods or services to data subjects in the EU. Inspired by the GDPR, countries all around the world have formulated their data protection laws based on the similar framework.

Resources:

Compliance with applicable global data privacy laws is obligatory for businesses.
Failure to comply can result in huge loss such as consumer trust, class-action lawsuits, and hefty fines.
Is your organization ready to comply with the existing as well as upcoming data privacy laws?

Watch the demo to see how Securiti is helping organizations with global privacy regulatory compliance.

Watch the demo

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Solutions

Systems

Newsletter


Securiti PrivacyOps Named a Leader in The Forrester WaveTM

View